Upload
dangtu
View
214
Download
0
Embed Size (px)
Citation preview
Atmel Corporation
1150 E. Cheyenne Mountain Blvd.
Colorado Springs, Colorado 80906
Atmel Trusted Platform Module
AT97SC3204 / AT97SC3205 Firmware revisions: 1.2.29.01, 1.2.42.05, 1.2.42.06
Security Policy
FIPS 140-2, Level 1
Document Version 4.3
April 03, 2014
© 2014 Copyright 2014 Atmel Corporation
Atmel Corporation grants permission to freely reproduce in entirety without revision
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 2
Revision History Ver Date Author Description
1.7 Oct 24, 2013 J. Hallman FIPS 140-2 Certified AT97SC3204-X4 device
4.0 Mar 07, 2014 J. Hallman
Maintenance update: Addition of TPM revision AT97SC3205 to support SPI and I2C communication interfaces with the added support of Windows 8 Proof of Possession support. Add Heading numbers to all sections Globally replace AT97SC3204-X4 with AT97SC3204. Update supported package types and part numbers. Added physical Presence label to package drawing pins. Updated pin GPIO6 to GPIO-Express-00. Clarification of FIPS configurations. Updated Crypto Algorithm table and descriptions related to non-approved algorithms.
4.1 Mar 24, 2014 J. Hallman 1.1.1.1 Updates per evaluators comments.
4.2 Mar 27, 2014 J. Hallman Corrected QFN part number error for TWI protocol
4.3 Apr 03, 2014 J. Hallman Added redistribution note
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 3
Table of Contents
1 Module Overview ........................................................................................ 6
1.1 Definition of Cryptographic Module Security Policy .................................... 6
1.2 AT97SC3204 / AT97SC3205 TPM Implementation ................................... 9
2 Security Level ........................................................................................... 15
3 Modes of Operation .................................................................................. 16
3.1 FIPS Operation Configurations ................................................................. 16
3.2 TOE FIPS Indicators ................................................................................ 17
4 Ports and Interfaces ................................................................................. 18
5 Cryptographic Algorithms ......................................................................... 20
6 Key Establishment .................................................................................... 22
7 Security Rules .......................................................................................... 23
7.1 FIPS 140-2 Imposed Security Rules ........................................................ 23
7.2 Atmel Corporation Imposed Security Rules .............................................. 26
8 Identification and Authentication Policy ..................................................... 28
8.1 Roles and Services .................................................................................. 28
8.1.1 TOE Roles ......................................................................................... 28
8.1.2 TOE Services ..................................................................................... 29
8.2 Authentication ........................................................................................... 42
8.2.1 Physical Presence ............................................................................. 45
8.2.2 Strength ............................................................................................. 46
8.2.3 Failed Authentication Attempts Counter............................................. 53
8.3 Identification ............................................................................................. 55
9 Access Control Policy ............................................................................... 56
9.1 Definition of Critical Security Parameters (CSPs) ..................................... 56
9.2 Definition of Public Keys ........................................................................... 60
9.3 CSP Access Type .................................................................................... 60
9.4 Logical Access Policy ............................................................................... 61
10 Physical Security Policy ......................................................................... 65
11 Operational Environment ....................................................................... 66
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 4
11.1 Operating ranges .................................................................................. 67
12 Mitigation of Other Attacks Policy ........................................................... 69
12.1 Housing ................................................................................................. 69
12.2 Internal Tamper Detection ..................................................................... 69
12.3 Environmental protection ...................................................................... 69
13 References ............................................................................................ 70
14 Definitions and Acronyms....................................................................... 72
Tables:
Table 1 - AT97SC3204 Pin Definitions .................................................................. 12
Table 2 - AT97SC3205 Pin Definitions .................................................................. 14
Table 3 – Module Security Level Specification ...................................................... 15
Table 4 - Configuration Identification Summary ..................................................... 17
Table 5 – AT97SC3204 Physical Ports and Interfaces .......................................... 18
Table 6 – AT97SC3205 Physical Ports and Interfaces .......................................... 19
Table 8 – Security strength .................................................................................... 22
Table 9 – TOE Authentication ................................................................................ 29
Table 10 – TOE Services ....................................................................................... 29
Table 11 – TOE Service Description ..................................................................... 35
Table 12 – AT97SC3204 Authentication Strength ................................................. 49
Table 13 – AT97SC3205 Authentication Strength ................................................. 52
Table 14 – Failure Modulus ................................................................................... 53
Table 15 – Lockout delay vs. FAILMOD value ....................................................... 54
Table 16 – CSP Identification ................................................................................ 56
Table 17 – CSP Access Type ................................................................................ 60
Table 18 – Logical Access ..................................................................................... 61
Figures:
Figure 1: AT97SC3204 Block Diagram (LPC Communication Protocol) ................. 7
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 5
Figure 2: AT97SC3205 Block Diagram (SPI and I2C Communication Protocol) ..... 8
Figure 3: Sample Image of the Physical Cryptographic Module .............................. 9
Figure 4: AT97SC3204 Package Pinout Diagrams ............................................... 11
Figure 5: AT97SC3205 Package Pinout Diagrams ............................................... 13
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 6
2 Module Overview
2.1 Definition of Cryptographic Module Security Policy
Security Level 1
The AT97SC3204 / AT97SC3205 Trusted Platform Module, referred to as the Target of Evaluation (TOE), is a fully integrated security module designed to be integrated into personal computers and other embedded systems. The security module is used primarily for cryptographic key generation, key storage and key management as well as generation and secure storage for digital certificates. The TOE implements version 1.2 of the Trusted Computing Group (TCG) specification for Trusted Platform Modules (TPM). The TPM is a single chip cryptographic module as defined in FIPS 140-2. The single silicon chip is encapsulated in a hard, opaque, production grade integrated circuit (IC) package. The cryptographic boundary is defined as the perimeter of the IC package, including the I/O pins through which all communication to and from the module occurs. The cryptographic boundary includes the module’s internal 8-bit AVR microcontroller, 16KB of EEPROM, 128KB / 144KB of ROM, respectively, multiple banks of SRAM, cryptographic acceleration hardware and an internal Random Number Generator. Protection circuitry is included that can detect and respond to environmental changes and to hardware tamper events. No hardware or firmware components of the module are excluded from the requirements of FIPS 140-2.
The evaluated TOE has several configurations based upon the preferred external communication protocol. The LPC communication protocol is supported by devices AT97SC3204. The SPI and I2C communication protocol is supported by devices AT97SC3205. The communication protocol selection has no relevance to the security level of the device. All three protocol configurations are included in this evaluation and collectively referred to as the TOE.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 7
Figure 1: AT97SC3204 Block Diagram (LPC Communication Protocol)
33 MHz LPC InterfaceContains:
TPM Interface Spec support
TIS Data FIFO
TIS Status registers
TIS Access registers
DID/VID/RID registers
Legacy registers
Configuration registers
Interface capability register
Interrupt registers
GPIOContains:
GPIO-Express-00PP (Physical Presence)
SRAM1
SRAM2
AT97SC3204 Block DiagramROM Program MemoryContains:
Executable firmware
TCG command support firmware
Crypto library
Internal drivers
EEPROM write & read drivers
RNG driver
RTC driver
Tamper driver
Trim driver
Shield driver
LPC Interface drivers
TIS driver
TCG messaging driver
SHA-1 driver
GPIO driver
Clock drivers
RTC driver
UsageTimer driver
Test firmware (disabled)
Physical Security CircuitryContains:
Temperature tamper detection circuitVoltage tamper detection circuitClock input filterTop metal active shield EEPROM Data Memory
Contains:Key cache
Platform Configuration Registers
NVStore memory space
TPM Permanent Flags register
Tamper Residue register
AVR 8-bit
RISC CPU
TimerContains:
Usage Timer
Real Time Clock
Crypto EngineContains:
RSA hardware supportSHA-1 engine
EEPROM Program MemoryContains:
Executable firmware
TCG command support firmware
Random Number GeneratorContains:
Linear Feedback Shift Register
LAD0 – LAD3
LCLK
LFRAME
GPIO6-Express-00
Physical Presence
LRESET
LPCPD
CLKRUN
SERIRQ
Cryptographic Boundary
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 8
Figure 2: AT97SC3205 Block Diagram (SPI and I2C Communication Protocol)
The basic tasks of the TOE include the following:
Measurement (through a SHA-1 hash mechanism), storage and reporting of the state of the computing platform bound physically and cryptographically to the platform.
Execution of strong authentication mechanisms for identification of a computing platform identity.
Provision of the following cryptographic services to the host platform:
o Generation of RSA key pairs
o RSA digital signature and verification
o RSA key wrapping (encryption)
o Random number generation
The TOE can be used by the host system to monitor the system boot process. The current system state may be compared to reference state values which were previously generated at a time when the system state was known to be trustworthy. The TPM can bind data or keys to a specific system status. The TPM can grant or deny access to keys and data if the current system state differs from the known trusted system state.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 9
2.2 AT97SC3204 / AT97SC3205 TPM Implementation The Hardware and Firmware versions implemented in the FIPS evaluated and certified version of the TOE are:
TOE Identification: Trusted Platform Module Atmel AT97SC3204 / AT97SC3205
TOE Version Identification: AT97SC3204, LPC Communication Protocol: 1.2.29.01 AT97SC3205, SPI Communication Protocol: 1.2.42.05 AT97SC3205, I2C Communication Protocol: 1.2.42.06
TOE Hardware Version Number: AT97SC3204: 29 AT97SC3205: 42
TOE Firmware Version Number: - AT97SC3204, LPC Communication Protocol: 01 - AT97SC3205, SPI hardware interface activated: 05 - AT97SC3205, I2C hardware interface activated: 06
The device name “AT97SC3204” is used throughout this security policy to refer to the TOE configured with the firmware image to support the LPC communication protocol unless specifically noted otherwise.
The device name “AT97SC3205” is used throughout this security policy to refer to the TOE configured with the corresponding firmware image to support the SPI or I2C communication protocol unless specifically noted otherwise.
Figure 3: Sample Image of the Physical Cryptographic Module
Pin 1 indicator Firmware revision
Country of Origin
Philippines
Date code
Truncated part number
Lot number
Hardware revision
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 10
The TOE is manufactured in two packages:
28-pin 4.4mm TSSOP
o LPC Communication Protocol
Part numbers: AT97SC3204-X4, AT97SC3204-U4
o SPI Communication Protocol
Part numbers: AT97SC3205-X3, AT97SC3205-U3
o I2C Communication Protocol
Part numbers: AT97SC3205T-X3, AT97SC3205T-U3
32-pin 4x4mm QFN
o LPC Communication Protocol
Part numbers: AT97SC3204-G4, AT97SC3204-H4
o SPI Communication Protocol
Part numbers: AT97SC3205-G3, AT97SC3205-H3
o I2C Communication Protocol
Part numbers: AT97SC3205T-G3, AT97SC3205T-H3
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 11
The pin layout for the AT97SC3204 configuration of the TOE is shown in Figure 4.
Figure 4: AT97SC3204 Package Pinout Diagrams
LPC
Protocol
LPC
Protocol
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 12
The pin description for the AT97SC3204 configuration of the TOE is given in Table 1.
Table 1 - AT97SC3204 Pin Definitions
TSSOP Pin
QFN Pin
LPC Pin Name
Pin type
Description
10,19,24 8,18,23 VCC I 3.3V Supply Voltage
5 2 SB3V I Standby 3.3V Supply Voltage
4,11,18,25 3,9,32 GND I Ground
16 17 LRESET# I PCI Reset Input Active Low
26 28 LAD0 I/O LPC Command, Address, Data Line Input/Output
23 22 LAD1 I/O LPC Command, Address, Data Line Input/Output
20 19 LAD2 I/O LPC Command, Address, Data Line Input/Output
17 12 LAD3 I/O LPC Command, Address, Data Line Input/Output
21 20 LCLK I 33 MHz PCI Clock Input
22 21 LFRAME# I LPC FRAME Input
15 15 CLKRUN# I PCI Clock Run Input/Output
28 25 LPCPD# I LPC Power Down Input
27 24 SERIQ I/O Serialized Interrupt Request Input/Output
6 4 GPIO-Express-00 I/O GPIO assigned to TPM_NV_INDEX_GPIO_00
8 6 TestI I Test Input (disabled)
9 7 TestBI I Test Input (disabled)
1,2,3 1,29,30 ATest I Atmel Test Pin (disabled)
7 5 PP/GPIO I/O GPIO assigned to Hardware Physical Presence
12,13,14 10,11,13,14
16,26,27,31 NBO N/A Not Bounded out – no connection to circuitry
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 13
The pin layout for the AT97SC3205 configuration of the TOE is shown in Figure 5.
Figure 5: AT97SC3205 Package Pinout Diagrams
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 14
The pin description for the AT97SC3205 configuration of the TOE is given in Table 2.
Table 2 - AT97SC3205 Pin Definitions
TSSOP Pin
QFN Pin
SPI Pin Name
I2C Pin Name
Pin type
Description
3,10,19,24 1,8,22 Vcc Vcc I 3.3V Supply Voltage
4,11,18,25 2,9,23,32 GND GND I Ground
16 17 SPI_RST# LRESET# I SPI: SPI Reset Pin I2C: Reset Input Active Low
21 19 SPI_CLK ATest I SPI: SPI Clock Input I2C: Atmel Test Pin (disabled)
22 20 SPI_CS# TWI_Wakeup# I SPI: SPI Chip Select I2C: Sleep State Pin
26 24 MISO ATest O SPI: SPI Slave Data Output I2C: Atmel Test Pin (disabled)
21 21 MOSI ATest I SPI: SPI Slave Data Input I2C: Atmel Test Pin (disabled)
2 29 GPIO1 SM_CLK I/O SPI: General Purpose Input / Output I2C: TWI Serial Clock Input
1 30 GPIO2 SM_DAT I/O SPI: General Purpose Input / Output I2C: TWI Serial Data Input / Output
17 12 GPIO3 GPIO I/O General Purpose Input / Output
20 18 PIRQ# PIRQ# I/O PCI Interrupt Requests
6 3 GPIO-Express-00 GPIO-Express-00 I/O GPIO assigned to TPM_NV_INDEX_GPIO_00
7 4 PP/GPIO PP/GPIO/TWI_Wakeup# I/O GPIO assigned to Hardware Physical Presence
8 5 TestI TestI I Test Input (disabled)
9 6 TestBI/GPIO TestBI/GPIO I Test Input (disabled)
5,12,13,14, 15,27,28
7,10,11, 13-16,
25-28,31 NBO NBO N/A Not Bounded out – no connection to circuitry
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 15
3 Security Level
Security Level 1
The cryptographic module meets the overall requirements applicable to Level 1 security of
FIPS 140-2.
Table 3 – Module Security Level Specification
Security Requirements Section Level
Cryptographic Module Specification 1
Cryptographic Module Ports and Interfaces 1
Roles, Services and Authentication 1
Finite State Model 1
Physical Security 1
Operational Environment N/A
Cryptographic Key Management 1
EMI/EMC 1
Self-Tests 1
Design Assurance 1
Mitigation of Other Attacks 1
Overall 1
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 16
4 Modes of Operation
Security Level 1
The Atmel TPM can operate in one of three permanently locked configurations; Legacy FIPS configuration, WIN8 FIPS configuration or Standard configuration. TPM configuration occurs one time during device initialization prior to taking ownership of the TPM device and is not reversible. Selection of a FIPS configuration results in this device being governed by this security policy. For a device configured as Standard configuration, this configuration is not the validated module and this security policy does not apply. Critical firmware components are loaded and locked into the TPM internal EEPROM memory during the TPM manufacturing process. The device configuration is established during the final stage of the TPM system manufacturing process. The firmware revisions specified in the section entitled AT97SC3204 / AT97SC3205 TPM Implementation are the only firmware images that correspond to this security policy.
4.1 FIPS Operation Configurations
All firmware images of this security policy support a FIPS configuration. For ease of configuration identification, the configuration options are referred to as “Legacy FIPS” and “WIN8 FIPS”. The configurations only differ as defined below. Legacy FIPS
RSA keys of the key type TPM_KEY_LEGACY are not allowed. Requests to generate, load or use Legacy keys will result in failure of the command.
All keys require authorization (cannot set key TPM_AUTH_DATA_USAGE value to TPM_AUTH_NEVER). RSA Key usage parameters will always require authorization for key generation, key loading or key usage. Requests to generate, load or use keys that do not require authorization will result in failure of the command
TPM command TPM_Establish_Transport can only be executed with an algorithm ID of TPM_ALG_AES128 for encryption.
WIN8 FIPS
RSA keys of the key type TPM_KEY_LEGACY are allowed. Requests to generate, load or use Legacy keys will not result in failure of the command. (For interoperability; all data processing with Legacy keys is considered equivalent to plaintext for the purpose of FIPS 140-2 validation.).
The creation of keys requiring no authorization is allowed (can set key TPM_AUTH_DATA_USAGE value to TPM_AUTH_NEVER. Implicit authorization for users, allowed in FIPS 140-2 level 1).
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 17
TPM command TPM_Establish_Transport can be executed with an algorithm ID of TPM_ALG_AES128 (for encryption) or TPM_ALG_MGF1 (For interoperability; this is considered equivalent to plaintext for FIPS 140-2 validation.).
The device configuration is established during the final stage of the TPM system manufacturing process and cannot be reversed. AT97SC3204 TPM units only support the
“Legacy FIPS” configuration while the AT97SC3205 TPM units support both FIPS configurations.
4.2 TOE FIPS Indicators
The configuration of FIPS operation is recorded in the TPM_PERMANENT_FLAGS “FIPS” flag and the Atmel Specific TPM Command TPM_Lock_FIPS structure. Once set, the selected FIPS configuration cannot be disabled or altered for the lifetime of the TPM chip. A User can verify the state of the “FIPS” flag by issuing the command TPM_getCapability with a capability name of TPM_CAP_FLAG (0x00000004) and a subcap of TPM_CAP_FLAG_PERMANENT (0x00000108). A User can verify the internal FIPS configuration setting in the Atmel Specific TPM Command structure through the command TPM_Lock_FIPS with fipsMode = (0x00000002). The below table identifies the permanent setting of the two control parameters used to lock the device in the selected configuration.
Table 4 - Configuration Identification Summary
Revision Mode Configuration TPM_PERMANENT_
FLAGS
“FIPS” Flag
TPM_Lock_FIPS Return Code
Indication
AT97SC3204 FIPS Legacy FIPS TRUE Legacy_FIPS
Standard Non-FIPS FALSE STD_MODE
AT97SC3205 FIPS
Legacy FIPS TRUE Legacy_FIPS
WIN8 FIPS FALSE WIN_FIPS
Standard Non-FIPS FALSE STD_MODE
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 18
5 Ports and Interfaces Security Level 1 The TOE provides the following physical ports and interface pins. For ease of deciphering pin functions between unit AT97SC3204 and unit SC97SC3205 versions, separate tables are provided for each.
Table 5 – AT97SC3204 Physical Ports and Interfaces
Pin Name Pin type
VIL VIH VOL VOH Description
VCC I -0.5V 3.63V 3.3V (+/- 10%) Power Supply Voltage
SB3V I -0.5V 3.63V Standby 3.3V (+/- 10%) Supply Voltage
GND I 0V 0V System Ground
LRESET# I -0.5V 4.13V Active Low PCI Reset Input. Driving this pin low resets the internal
state of the TPM and is equivalent to removal of power from the chip.
LAD0, LAD1
LAD2, LAD3 I/O -0.5V 4.13V 0.4V 2.5V
LPC Command, Address and Data Input/Output pins. The LPC bus
transmits 8 bits per transaction in two 4-bit packets.
LCLK I -0.5V 4.13V
33 MHz PCI Clock Input. The frequency and duty cycle of this clock
must be accurately maintained by the system to the parametric
specifications listed in the T97SC3204 datasheet.
LFRAME# I -0.5V 4.13V LPC FRAME indicator input pin
CLKRUN# I/O -0.5V 4.13V 0.4V 2.5V
PCI ClockRun Input/Output pin. Clock control handshake pin. When
asserted by the system, indicates the intent to remove the 33MHz
clock signal from the LCLK input pin. The TPM may hold off removal of
the clock by holding the CLKRUN# pin low until it is prepared for
removal of the clock signal.
LPCPD# I -0.5V 4.13V
LPC Power Down Input. LPCPD# is intended to indicate that the LPC
Bus peripheral device (TPM) should prepare for system power-down,
or for power to be shut off to devices on the LPC interface. Since the
TPM automatically enters a low-power state after completion of every
command, no special preparation is required by the TPM. No action is
taken by the TPM when an active signal is received on this pin.
SERIQ I/O -0.5V 4.13V 0.4V 2.5V
Serialized Interrupt Request Input/Output. LPC Serialized IRQ. The
Serial Interrupt Request pin is typically used to signal the system
processor that the TPM has completed execution of a command and
data is available to be read, when the TPM Locality has changed or
when the TPM is ready to receive a new command. SERIRQ meets
the Intel Low Pin Count (LPC) Interface Specification Revision 1.1
August 2002. This is an unused pin in general usage.
GPIO-
EXPRESS-00 I/O -0.5V 4.13V 0.4V 2.5V
General Purpose Input/Output pin configured by internal firmware as
an Output only. Serves as an indicator signal by the TPM to other
system components. The state of GPIO-EXPRESS-00 is determined
by the data value written to the GPIO-EXPRESS-00 field by a
TPM _NV_WriteValue or TPM_NV_WriteValueAuth command.
PP/GPIO I -0.5V 4.13V 0.4V 2.5V General Purpose input/output pin whose state indicates the physical
presence of an authorized operator.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 19
Pin Name Pin type
VIL VIH VOL VOH Description
TestI I -0.5V 4.13V Test Input (permanently disabled during TPM manufacturing)
TestBI I -0.5V 4.13V Test Input (permanently disabled during TPM manufacturing)
ATest I -0.5V 4.13V Atmel Test Pin (permanently disabled during TPM manufacturing)
Table 6 – AT97SC3205 Physical Ports and Interfaces
Pin Name SPI / I2C
Pin type
VIL VIH VOL VOH Description
VCC I -0.5V 3.63V 3.3V (+/- 10%) Power Supply Voltage
GND I 0V 0V System Ground
SPI_RST# /
LRESET# I -0.5V 4.13V
Active Low PCI Reset Input. Driving this pin low resets the internal
state of the TPM and is equivalent to removal of power from the chip.
SPI_CLK I -0.5V 4.13V SPI interface clock. Asserted high for power savings when the TPM is
not in use.
MISO O 0.4V 2.5V Master In Slave Out. SPI slave data output from the TPM.
MOSI I -0.5V 4.13V Master Out Slave In. SPI slave data input to the TPM.
SPI_CS# I -0.5V 4.13V SPI chip select input to the TPM.
SM_DAT I/O -0.5V 4.13V 0.4V 2.5V I2C serial data input / output pin to the TPM.
SM_CLK I -0.5V 4.13V I2C serial clock input to the TPM.
TWI_Wakeup# I -0.5V 4.13V Sleep state pins. These two pins serves as the mechanism to wake the
TPM from deep sleep.
PIRQ# I/O -0.5V 4.13V 0.4V 2.5V PCI Interrupt Request line. Open drain output that pulls low to request
an interrupt to the system processor.
GPIO-
EXPRESS-00 I/O -0.5V 4.13V 0.4V 2.5V
General Purpose Input/Output pin configured by internal firmware as
an Output only. Serves as an indicator signal by the TPM to other
system components. The state of GPIO-EXPRESS-00 is determined
by the data value written to the GPIO-EXPRESS-00 field by a
TPM _NV_WriteValue or TPM_NV_WriteValueAuth command.
PP/GPIO I/O -0.5V 4.13V 0.4V 2.5V General Purpose input/output pin whose state indicates the physical
presence of an authorized operator.
GPIO I/O -0.5V 4.13V 0.4V 2.5V General Purpose input/output pin.
TestI I -0.5V 4.13V Test Input (permanently disabled during TPM manufacturing)
TestBI I -0.5V 4.13V Test Input (permanently disabled during TPM manufacturing)
ATest I -0.5V 4.13V Atmel Test Pin (permanently disabled during TPM manufacturing)
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 20
6 Cryptographic Algorithms The TOE supports the following cryptographic algorithms. Algorithm certificate numbers for each approved algorithm are listed.
Table 7 – Cryptographic Algorithms
7 Algorithm
Approved
/ Non-
Approved
Certificate
Number (AT97SC3204)
Certificate
Number (AT97SC3205)
RSA
Digital Signature Verification, Digital Signature Generation when key length >=2048
Approved 1203 1469
Digital Signature Generation when key length (n) is1024 <= |n| <2048
Non-Approved
N/A N/A
SHA-1 (SHS)
Digital Signature Verification, Non-digital signature generation applications
Approved 2015 2354
Digital Signature Generation Non-
Approved N/A N/A
HMAC Approved 1445 1757
AES Approved 2333 2806
RNG Approved 1163 1273
TPM KDF (CVL) Approved Prior 2014 250
MGF1 Non-
Approved N/A N/A
RSA: The TOE will permit RSA 1024-bit key generation and digital signature generation to retain device interoperability. These functions are Non-Approved and are considered equivalent to plaintext or obfuscation with no security claims. The services that can employ this non-approved algorithm are:
o TPM_CreateWrapKey o TPM_CMK_CreateKey o TPM_CMK_ConvertMigration o TPM_Sign o TPM_CertifyKey o TPM_CertifyKey2 o TPM_Quote o TPM_Quote2 o TPM_TickStampBlob o TPM_ReleaseTransportSigned o TPM_ChangeAuthAsymStart
Note: These services also have the option to use approved 2048-bit key sizes.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 21
SHA-1: The TOE will permit SHA-1 hash usage during digital signature generation to retain device interoperability. This function is Non-Approved and it is used with no security claims. The services that employ this non-approved algorithm are:
o TPM_Sign o TPM_CertifyKey o TPM_CertifyKey2 o TPM_Quote o TPM_Quote2 o TPM_TickStampBlob o TPM_ReleaseTransportSigned
MGF-1: The non-approved algorithm MGF-1 is not used to protect or encrypt CSPs. MGF-1 is used to obfuscate some input information passed to the module and some output information received from the module. The services that employ this non-approved algorithm are:
Direct Anonymous Attestation commands o TPM_DAA_Join o TPM_DAA_Sign
Transport commands o TPM_EstablishTransport o TPM_ExecuteTransport o TPM_ReleaseTransportSigned
Seal commands o TPM_Sealx o TPM_unSeal o (note: MGF1 is not used by the service TPM_Seal)
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 22
8 Key Establishment Relative security strength has been calculated for each cryptographic algorithm supported by the module and used in key establishment. Table 8 – Security strength
Algorithm Comparable number of bits of security
RSA-10241 80
RSA-2048 112
AES-128 128
Note 1: RSA-1024 is for interoperability. This key size is non-compliant for FIPS 140-2 validation.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 23
9 Security Rules
Security Level 1
The following sub-sections describe the security rules implemented by the TOE.
The security rules are segregated into two categories:
Security rules derived from the requirements of FIPS 140-2, the TCG TPM
specification and PC Client TPM specification.
Security rules imposed by Atmel
9.1 FIPS 140-2 Imposed Security Rules
1. The TOE supports the following interfaces (refer to Table 5 and Table 6):
Data input interface
- Signals:
- LPC: LAD0, LAD1, LAD2, LAD3
- SPI: MOSI
- I2C: SM_DAT
Data output interface
- Signals:
- LPC: LAD0, LAD1, LAD2, LAD3
- SPI: MISO
- I2C: SM_DAT
Control input interface
- Signals:
- LPC: PP/GPIO, CLKRUN#, LRESET#, LCLK, LFRAME#,
SERIRQ, LPCPD#, LAD0, LAD1, LAD2, LAD3
- SPI: PP/GPIO, SPI_RST#, SPI_CLK, SPI_CS#, PIRQ#, MOSI
- I2C: PP/GPIO/TWI_Wakeup#, LRESET#, SM_CLK, SM_DAT,
TWI_Wakeup#
Status output interface
- Signals:
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 24
- LPC: GPIO-Express-00, CLKRUN#, SERIRQ, LPCPD#, LAD0,
LAD1, LAD2, LAD3
- SPI: PIRQ#, MISO, GPIO-Express-00
- I2C: PIRQ#, SM_DAT, GPIO-Express-00
Power input interface
- Signals:
- LPC: Vcc, SB3V, GND
- SPI, I2C: Vcc, GND
2. The TOE interfaces are logically distinct from each other based on the
command structure.
3. The logical state machine and command structure of the TOE inhibits all
data output via the data output interface whenever an error state exists and
while doing self tests.
4. Based on the structure of the commands, the TOE logically disconnects the
output data path from the circuitry and processes performing the following
key functions:
Key generation
Key zeroization
5. The TOE supports a Cryptographic Officer role and a User role.
6. When power is removed from the TOE, all existing authentication sessions
are destroyed. Therefore, the TOE must re-authenticate every role or
identity after each power-on sequence.
7. The TOE utilizes a production quality integrated circuit with standard
passivation.
8. The TOE’s logical command structure, authentication mechanisms, memory
management techniques, and physical implementation protect private and
secret keys (Table 16 – CSP Identification) from unauthorized disclosure,
modification and substitution.
9. The TOE’s logical command structure and authentication mechanisms
protect public keys against unauthorized modification and substitution.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 25
10. The TOE generates keys using a pseudo random number generator that is
implemented in conformance to FIPS 186-2. National Institute of Standards
and Technology, Digital Signature Standard (DSS), Federal Information
Processing Standards Publication 186-2, Appendix 3, Section 3.1 January
27, 2000.
11. The AT7SC3204 TPM’s authentication mechanisms associate private and
secret keys entered, stored, or output with the correct entity.
12. The TOE provides logical and/or physical mechanisms to zeroize all
plaintext cryptographic keys and other unprotected critical security
parameters within the TOE.
13. The TOE performs the following self tests:
Power-up and on-demand tests:
- Cryptographic algorithm known-answer-tests (KAT).
- SHA1
- RSA
a. Encrypt/decrypt
b. Sign/Verify
- RNG
- HMAC
- MGF1
- AES (encryption and decryption)
- Firmware integrity test.
Conditional tests:
- Continuous random number generator tests.
- The deterministic RNG produces blocks of 160 bits.
Each subsequent 160-bit block output from the RNG is
compared to the previous block. The test fails if any two
compared 160-bit sequences are equal.
- The nondeterministic RNG that provides entropy input
to the deterministic RNG produces blocks of 160 bits.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 26
Each subsequent 160-bit block output from the RNG is
compared to the previous block. The test fails if any two
compared 160-bit sequences are equal.
- Pair-wise consistency test for public and private keys
14. The power-on self-tests do not require operator intervention in order to run.
Power-on self test execution always completes the full suite of self tests in
its entirety. Input activity is ignored and output activity is inhibited until the
self tests have successfully completed.
15. The TOE provides a “success” Return Code via the "status output" interface
if all of the power-on self-tests have passed successfully.
16. The TOE outputs an “error” Return Code via the status interface when the
error state is entered due to a failed self-test.
17. The TOE does NOT perform any cryptographic functions while in the error
state.
9.2 Atmel Corporation Imposed Security Rules
1. The TOE provides a No Auth Required role that allows specific services to
be performed without an open authentication session.
2. The TOE provides Role-based authentication.
3. The TOE supports concurrent operators and internally maintains the
separation of the roles assumed by each operator and corresponding
services using authentication sessions.
4. The TOE does NOT provide a Maintenance Role or Maintenance Interface.
5. Authentication mechanisms are required to support the following authorized
roles:
Crypto Officer
User
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 27
The authentication mechanisms that support these roles meet the strength
requirements of FIPS 140-2, Level 2.
The authorized role Physical Presence does not require authentication
mechanisms to support or enforce the role.
The authorized role No Authentication Required does not require
authentication mechanisms to support or enforce the role.
6. The TOE provides the following services:
Reference Table 10 – TOE Services
7. The TOE does NOT provide a bypass capability.
8. The TOE outputs plaintext key type data using the TMP_UnBind or
TPM_UnSeal services.
9. The TOE’s logical command structure, authentication mechanisms, memory
management techniques, and physical implementation protect
authentication data stored within the TOE against unauthorized disclosure,
modification, and substitution.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 28
10 Identification and Authentication Policy
Security Level 1
The following sub-sections describe the authentication and identification
mechanisms employed by the TOE. The TOE provides Role-based authentication
defined by FIPS 140-2. Note that authentication and identification mechanisms
apply only to the CO and User roles.
10.1 Roles and Services The following subsections describe the roles and services provided by the TOE.
10.1.1 TOE Roles
The TOE provides the following four authorized roles:
Crypto Officer (CO) – The services provided under the CO Role require the operator to authenticate to the TOE as the “owner”. The CO services are used to initialize/configure the TPM and to install users.
User – The services provided under the User Role require the operator to authenticate to the TOE as an “entity”. The User services obtain cryptographic or protected capability functions from the TPM.
Physical Presence (PP) – A limited number of TPM commands may be authorized by assertion of Physical Presence (PP), which serves as an indication to the TPM that the operator is physically present at the system, not communicating over a network from a remote location. Authorization for assumption of the Physical Presence role is implicit. Physical Presence may be asserted in either of two methods, both of which authorize use of the same set of capabilities. Physical Presence authorization may be accomplished by setting a logic high voltage on the hardware pin at the time a service request is sent to the module (assertion of tpmGo bit in the TIS register [5]). The method for setting the voltage on the Physical Presence pin (e.g. connection to a button or a maintenance cover) is outside the cryptographic boundary. Physical Presence may also be asserted by sending the software command TSC_PhysicalPresence [4]. The capability for asserting software Physical Presence exists when the TPM is initially powered up. Atmel User Guidance instructs system designers to systematically disable the capability for asserting software Physical Presence after completion of essential early boot operations (e.g. at the completion of BIOS execution). Once disabled, Physical Presence may not be re-asserted by the software command mechanism until after a power down or Reset event. The capability to assert Physical Presence by the hardware pin mechanism remains active at all times and cannot be disabled.
No Authentication Required – The authorized services provided under this role do not require any authentication. Authorization for assuming this role is implicit. The No Auth Required services do not require the use of protected capability functions (i.e. functions that require the use of CSPs associated with the CO or
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 29
User). The list of No Authentication Required services is included in the full list of TPM services in Table 10 – TOE Services. No Authentication Required services are identified by the label: No Auth Required.
Table 9 – TOE Authentication
Role Type of Authentication Authentication Data
Crypto Officer Role based 160-bit auth data
User Role based 160-bit auth data
Physical Presence Implicit (none) None
No Authentication Required
Implicit (none) None
10.1.2 TOE Services
The services and corresponding roles provided by the TOE are shown in Table 10 for access control information.
Table 10 – TOE Services
Services Roles
# Name CO User PP NoAuth
1. TPM_OIAP X
2. TPM_OSAP X
3. TPM_DSAP X
4. TPM_Terminate_Handle X
5. TPM_ChangeAuth X
6. TPM_ChangeAuthOwner X
7. TPM_TakeOwnership X
8. TPM_Extend X
9. TPM_PcrRead X
10. TPM_PCR_Reset X
11. TPM_Quote X
12. TPM_Quote2 X
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 30
Services Roles
# Name CO User PP NoAuth
13. TPM_DirWriteAuth X
14. TPM_DirRead X
15. TPM_Seal X
16. TPM_Sealx X
17. TPM_Unseal X
18. TPM_UnBind X
19. TPM_CreateWrapKey X
20. TPM_LoadKey X (X1)
21. TPM_LoadKey2 X (X1)
22. TPM_EvictKey X
23. TPM_GetPubKey X
24. TPM_OwnerReadPubek X
25. TPM_OwnerReadInternalPub X
26. TPM_CreateMigrationBlob X
27. TPM_ConvertMigrationBlob X
28. TPM_AuthorizeMigrationKey X
29. TPM_MigrateKey X
30. TPM_CMK_ApproveMA X
31. TPM_CMK_CreateBlob X
32. TPM_CMK_CreateKey X
33. TPM_CMK_CreateTicket X
34. TPM_CMK_SetRestrictions X
35. TPM_CMK_ConvertMigration X
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 31
Services Roles
# Name CO User PP NoAuth
36. TPM_SHA1Start X
37. TPM_ SHA1Update X
38. TPM_ SHA1Complete X
39. TPM_ SHA1CompleteExtend X
40. TPM_CertifyKey X
41. TPM_CertifyKey2 X
42. TPM_Sign X
43. TPM_GetRandom X
44. TPM_StirRandom X
45. TPM_SelfTestFull X
46. TPM_CertifySelfTest X
47. TPM_ContinueSelfTest X
48. TPM_GetTestResult X
49. TPM_Reset X
50. TPM_SaveState X
51. TPM_StartUp X
52. TPM_OwnerClear X
53. TPM_DisableOwnerClear X
54. TPM_DisableForceClear X
55. TPM_GetCapability X
56. TPM_ GetCapabilityOwner X
57. TPM_ DAA_JOIN X
58. TPM_DAA_SIGN X
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 32
Services Roles
# Name CO User PP NoAuth
59. TPM_SaveContext X
60. TPM_LoadContext X
61. TPM_NV_DefineSpace X X
62. TPM_NV_ReadValue X X
63. TPM_NV_ReadValueAuth X X
64. TPM_NV_WriteValue X X
65. TPM_NV_WriteValueAuth X X
66. TPM_OwnerSetDisable X
67. TPM_PhysicalDisable X
68. TPM_PhysicalEnable X
69. TPM_PhysicalSetDeactivated X
70. TPM_SetTempDeactivated X X
71. TPM_CreateEndorsementKeyPair X
72. TPM_CreateRevocableEK X
73. TPM_RevokeTrust X
74. TPM_CreateCounter X
75. TPM_ReadCounter X
76. TPM_ReleaseCounter X
77. TPM_ReleaseCounterOwner X
78. TPM_ReadPubek X
79. TPM_DisablePubekRead X
80. TPM_OwnerReadPubek X
81. TPM_MakeIdentity X X
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 33
Services Roles
# Name CO User PP NoAuth
82. TPM_ActivateIdentity X X
83. TPM_Delegate_CreateKeyDelegation X
84. TPM_Delegate_CreateOwnerDelegation X
85. TPM_Delegate_LoadOwnerDelegation X
86. TPM_Delegate_Manage X
87. TPM_Delegate_ReadTable X
88. TPM_Delegate_UpdateVerification X
89. TPM_Delegate_VerifyDelegation X
90. TPM_EstablishTransport X
91. TPM_ExecuteTransport X
92. TPM_ReleaseTransportSigned X
93. TPM_FlushSpecific X
94. TPM_ForceClear X
95. TPM_GetTicks X
96. TPM_TickStampBlob X
97. TPM_IncrementCounter X
98. TPM_KeyControlOwner X
99. TPM_ResetLockValue X
100. TPM_SetCapability X
101. TPM_SetOperatorAuth X
102. TPM_SetOwnerInstall X
103. TPM_SetOwnerPointer X
104. TPM_changeAuthAsymStart X
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 34
Services Roles
# Name CO User PP NoAuth
105. TPM_changeAuthAsymFinish X
Locality Controlled Services
106. TPM_HASH_START X
107. TPM_HASH_DATA X
108. TPM_HASH_END X
TPM Connection Services
109. TSC_PhysicalPresence X
110. TSC_ResetEstablishmentBit X
Atmel Specific Services
111. TPM_SetState X
112. TPM_OwnerSetState X
113. TPM_GetState X
114. TPM_Identify X
115. TPM_VerifySignature X
116. TPM_BindV20 X
117. TPM_DeepSleep (I2C protocol only) X
118. TPM_Lock_FIPS X
Note 1: For WIN8 FIPS configuration this command can be run with a NoAuth role.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 35
Table 11 describes the TOE services.
Table 11 – TOE Service Description
# Service Name State Description
1. TPM_OIAP
This service is used to create an OIAP authorization
session. OIAP authorization sessions are generally used
when use of multiple TPM entities are desired.
2. TPM_OSAP
This service is used to create an OSAP authorization
session. OSAP authorization sessions are generally used
when use of a single TPM entity is required.
3. TPM_DSAP This User service creates an authorization session and a
handle from a delegated AuthData value.
4. TPM_Terminate_Handle This User service is used to close an authorization session
and clear the data associated with the session.
5. TPM_ChangeAuth This User service is used to modify the User’s authorization
key.
6. TPM_ChangeAuthOwner This CO service is used to modify the CO’s authorization
data stored on the TOE.
7. TPM_TakeOwnership
This CO service is used to create the Storage Root Key
(SRK) keypair and install the CO’s identity/authorization
data on the TOE.
8. TPM_Extend
This service is used to update a Platform Configuration
Register (PCR). A PCR consists of a 160-bit field that
holds a cumulatively updated hash value and 4-byte status
field.
9. TPM_PcrRead This service is used to read the contents of a specified PCR
using non-cryptographic reporting.
10. TPM_PCR_Reset This User service is used to reset the contents of a specified
PCR to default conditions.
11. TPM_Quote This User service is used to read the contents of a specified
PCR using cryptographic reporting (digital signature).
12. TPM_Quote2
This User service is used to read the contents of a specified
PCR using cryptographic reporting (digital signature).
Quote2 includes more detailed information about the
platform configuration than TPM_Quote.
13. TPM_DirWriteAuth This CO service is used to provide write access to a
specified Data Integrity Register (DIR).
14. TPM_DirRead This service is used to read the contents of a specified Data
Integrity Register (DIR).
15. TPM_Seal
This User service is used to input key type data and export
it wrapped in a specified RSA public key. The Seal service
outputs the wrapped key in an TOE specific method such
that only the same TOE in the same state can perform a
successful UnSeal service.
16. TPM_Sealx
This User service is used to input encrypted key type data
and export it wrapped in a specified RSA public key. The
Seal service outputs the wrapped key in an TOE specific
method such that only the same TOE in the same state can
perform a successful UnSeal service.
17. TPM_Unseal This User service is used to decrypt and output key type
data that was wrapped during a Seal service.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 36
# Service Name State Description
18. TPM_UnBind
This User service is used to unwrap and output key type
data that was wrapped using a BindV20 service or using an
external process that execute RSA public key encryption.
19. TPM_CreateWrapKey
This User service is used to generate an RSA keypair,
encrypt the private portion with a specified RSA public key,
and output the public portion, key parameters and the
wrapped private portion of the generated keypair.
20. TPM_LoadKey
This User service is used to input, unwrap, and store an
RSA keypair that resulted from the CreateWrapKey service,
in order to make that key available for use by other
services. Keys loaded into the TPM are identified by a
handle that is assigned and output during execution of the
TPM_LoadKey service. Subsequent operations will identify
and locate this key by the reference handle. The
TPM_LoadKey service includes the fixed handle in the key
authorization Message Authentication data.
21. TPM_LoadKey2
This User service is used to input, unwrap, and store an
RSA keypair that resulted from the CreateWrapKey service,
in order to make that key available for use by other
services. Keys loaded into the TPM are identified by a
handle that is assigned and output during execution of the
TPM_LoadKey2 service. Subsequent operations will
identify and locate this key by the reference handle.
LoadKey2 does not include the handle in the key
authorization Message Authentication data.
22. TPM_EvictKey This service is used to zeroize the contents of a specified
key handle.
23. TPM_GetPubKey This User service is used to retrieve the public portion of a
specified keypair.
24. TPM_OwnerReadPubek This CO service is used to export the public portion of the
EK.
25. TPM_OwnerReadInternalPub This CO service is used to export the public portion of the
EK or SRK.
26. TPM_CreateMigrationBlob
This User service is used to migrate a private key from one
TOE to another TOE. The migrated key is wrapped in a
public key provided by the receiving TOE.
27. TPM_ConvertMigrationBlob This User service is used to store a migrated key resulting
from the CreateMigrationBlob service.
28. TPM_AuthorizeMigrationKey This CO service is used to authorize a specific key for use
in migration.
29. TPM_MigrateKey
This User service serves as a migration authority. The
service unwraps a key migration blob and re-wraps it with a
public key provided to the TPM as a command parameter.
30. TPM_CMK_ApproveMA This CO service creates an authorization ticket that
specifies an approved migration authority.
31. TPM_CMK_CreateBlob
This User service is used to migrate a private key from one
TOE to another TOE. The migrated key is wrapped in a
public key provided by the receiving TOE. Similar to
CreateMigrationBlob with more restrictions.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 37
# Service Name State Description
32. TPM_CMK_CreateKey
This User service both generates an asymmetric key and
creates a secure storage bundle for that key. Migration of
the new key is controlled by a migration authority.
33. TPM_CMK_CreateTicket This User service uses a public key to verify the signature
over a digest, and generate a ticket to prove the verification.
34. TPM_CMK_SetRestrictions This CO service is used to restrict usage of a certified
migration key with delegated authorization.
35. TPM_CMK_ConvertMigration This User service completes a migration sequence of a
certified migration blob to a new TPM.
36. TPM_SHA1Start This service is used to start the process of calculating a
SHA-1 hash.
37. TPM_ SHA1Update This service is used to continue the process of calculating a
SHA-1 hash.
38. TPM_ SHA1Complete This service is used to finalize the process of calculating a
SHA-1 hash.
39. TPM_ SHA1CompleteExtend This service is used to finalize the process of calculating a
SHA-1 hash and extend the result into a specified PCR.
40. TPM_CertifyKey This User service is used to sign and output the public
portion of a specified key.
41. TPM_CertifyKey2
This User service is used to sign and output the public
portion of a specified key when the certifying key requires
usage authorization while the certified key does not.
42. TPM_Sign This User service is used to perform an RSA sign operation
on the input data.
43. TPM_GetRandom
This service is used to return a random number to the caller.
The size of the random number is specified by the
bytesRequested parameter.
44. TPM_StirRandom This service is used to add entropy to the state of the RNG.
45. TPM_SelfTestFull This service is used to initiate an operator requested Power-
on Self Test (POST).
46. TPM_CertifySelfTest TPM_CertifySelfTest causes the TPM to perform a full
self-test and return an authenticated value if the test passes.
47. TPM_ContinueSelfTest In the FIPS mode (set during the manufacturing process),
this service just returns a ‘POST completed’ response code.
48. TPM_GetTestResult This service is used to retrieve POST test results. This
service is also allowable in the Error state.
49. TPM_Reset This service is used to release all resources associated with
all existing authorization sessions.
50. TPM_SaveState This service is used to save potentially volatile data into
non-volatile memory.
51. TPM_StartUp This service is used to initiate a start-up of the TOE after a
TPM_Init command.
52. TPM_OwnerClear This CO service is used to zeroize an TOE.
53. TPM_DisableOwnerClear This CO service is used to disable the OwnerClear service.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 38
# Service Name State Description
54. TPM_DisableForceClear
This service is used to disable the TPM_ForceClear service
until the next start-up session. After
TPM_DisableForceClear is executed, Owner keys and
CSPs can be zeroized by executing TPM_ForceClear with
Physical Presence authorization.
55. TPM_GetCapability
This service is used to determine specific capabilities of an
TOE based on the capArea and subCap parameters using
non-cryptographic reporting.
56. TPM_ GetCapabilityOwner
This CO service is used to retrieve all of the non-volatile
and volatile flags in a single operation using non-
cryptographic reporting.
57. TPM_ DAA_JOIN
This CO service establishes the parameters for a Direct
Anonymous Attestation procedure for a specific DAA
issuing authority.
58. TPM_DAA_SIGN
This CO service responds to a DAA challenge and proves
the attestation held by a TPM without revealing the
attestation held by that TPM.
59. TPM_SaveContext
This service saves a set of context parameters from a loaded
TPM outside the TPM, in order to reload the parameters at
a later time.
60. TPM_LoadContext This service loads a previously saved context blob into a
TPM.
61. TPM_NV_DefineSpace This CO service establishes space and access requirements
for a nonvolatile storage space in a TPM.
62. TPM_NV_ReadValue
This service is restricted to the CO if the NV area was set
up to require Owner auth. If not, no auth is required. This
service reads a value from a NV storage area and returns the
value.
63. TPM_NV_ReadValueAuth This User service requires authorization, then reads a value
from a NV storage area and returns the value.
64. TPM_NV_WriteValue This CO service writes a value to a predefined area in TPM
nonvolatile memory.
65. TPM_NV_WriteValueAuth This CO service writes a value to a predefined area in TPM
nonvolatile memory after completing authorization.
66. TPM_OwnerSetDisable This CO service is used to enable or disable an TOE by
setting the value of the Disable Flag.
67. TPM_PhysicalDisable This service sets the permanent disable flag to TRUE.
Requires assertion of Physical Presence.
68. TPM_PhysicalEnable This service sets the permanent disable flag to FALSE.
Requires assertion of Physical Presence.
69. TPM_PhysicalSetDeactivated
This CO service requires assertion of Physical Presence.
The service changes the state of the persistent TPM
deactivated flag.
70. TPM_SetTempDeactivated This service is used to make an TOE temporarily inactive
without destroying the secrets protected by the TOE.
71. TPM_CreateEndorsementKeyPair
This service is used to create a permanent internal
Endorsement Key (EK) (an RSA public/private keypair)
which is used in establishing the CO (owner) of the TOE.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 39
# Service Name State Description
72. TPM_CreateRevocableEK
This service is used to create a revokable internal
Endorsement Key (EK) (an RSA public/private keypair)
which is used in establishing the CO (owner) of the TOE.
73. TPM_RevokeTrust
This service clears the Endorsement Key from the TPM,
only if the EK were created using the service:
TPM_CreateRevocableEK.
74. TPM_CreateCounter
This service creates an internal TPM counter, establishes an
initial counter value and establishes the access rules and
AuthData for the counter.
75. TPM_ReadCounter This No Authentication Required service returns the current
counter value.
76. TPM_IncrementCounter This service increments the indicated counter by one.
77. TPM_ReleaseCounter This User service releases a counter such that no Read or
Increment commands will execute successfully.
78. TPM_ReleaseCounterOwner This CO service releases a counter such that no Read or
Increment commands will execute successfully.
79. TPM_ReadPubek This service is used to export the public portion of the EK
from the TOE.
80. TPM_DisablePubekRead This CO service is used to disable Users from exporting the
public portion of the EK.
81. TPM_OwnerReadPubek This CO service is used to export the public portion of the
EK.
82. TPM_MakeIdentity
This CO service is used to create an identity within the TOE
and output data necessary to complete attestation to that
identity by a third party. A TPM identity is an alias to one
and only one TPM Endorsement Key, which is
cryptographically unique. A TPM identity key may sign
status data generated internally by the TPM. The identity
key may be certified by a third party process that takes
place outside the TPM cryptographic boundary.
83. TPM_ActivateIdentity
This CO service is used to activate an identity created
within the TOE. Activation of a TPM identity occurs
outside the TPM cryptographic boundary.
84. TPM_Delegate_CreateKeyDelegation
This service delegates the privilege to use a key to another
authorized User by creating a blob that can be used by
TPM_DSAP.
85. TPM_Delegate_CreateOwnerDelegation
This CO service delegates the CO’s privilege to use a set of
command ordinals, by creating a blob. Such blobs can be
used as input data for TPM_DSAP or
TPM_Delegate_LoadOwnerDelegation.
86. TPM_Delegate_LoadOwnerDelegation This CO service loads a delegate table row blob into an
internal TPM non-volatile delegate table row.
87. TPM_Delegate_Manage This service establishes and/or manages the parameters and
access privileges of a Delegation table.
88. TPM_Delegate_ReadTable
This service loads a delegate table row blob into a non-
volatile delegate table row. The service enables verification
of delegation tables.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 40
# Service Name State Description
89. TPM_Delegate_UpdateVerification
This service sets the verificationCount in an entity (a blob
or a delegation row) to the current family value, in order
that the delegations represented by that entity will continue
to be accepted by the TPM.
90. TPM_Delegate_VerifyDelegation
This No Authentication Required service interprets a
delegate blob and returns success or failure, depending on
whether the blob is currently valid. The delegate blob is not
loaded into the TPM.
91. TPM_EstablishTransport
This User service establishes a Transport session. A TPM
Transport session can provide a log of the commands within
a session and can provide confidentiality of the commands
within a session. Depending on the attributes specified for
the session, this service may establish encryption keys and
session logs. A shared secret may also be established that
can be used to obfuscate either or both the input command
data and the output Transport log. The session will be used
by the service TPM_ExecuteTransport.
92. TPM_ExecuteTransport
This service delivers a wrapped TPM command to the TPM
where the TPM unwraps the command and then executes
the command.
93. TPM_ReleaseTransportSigned
This service completes a transport session. If logging for
this session is turned on, then this command returns a
digital signature of the hash of all operations performed
during the session.
94. TPM_FlushSpecific
TPM_FlushSpecific flushes from the TPM a specific handle
(for a key, auth session, transport session or DAA session),
and releases internal resources applied to that handle.
95. TPM_ForceClear This service is used to disable the ForceClear service until
the next start-up session
96. TPM_GetTicks This service returns the current tick count of the TPM
97. TPM_TickStampBlob
This service applies a time stamp to the Tick blob passed to
the TPM. The TPM makes no representation regarding the
blob, except that the blob was present at the TPM at the
time indicated.
98. TPM_KeyControlOwner
This CO service controls some attributes of keys that are
loaded and stored within the TPM key cache, including
enabling or disabling the ability to evict a loaded key.
99. TPM_ResetLockValue
This CO service allows the TPM Owner exactly one
opportunity to reset the TPM dictionary attack mitigation
values while a timeout penalty is imposed.
100. TPM_SetCapability
This CO service sets specific values in the TPM Capability
register, which provide to outside entities various pieces of
information regarding the design and current state of the
TPM.
101. TPM_SetOperatorAuth
This service allows the setting of the operator AuthData
value. The operator AuthData value allows the execution of
the TPM_SetTempDeactivated command.
102. TPM_SetOwnerInstall
This Physical Presence service sets the PERMANENT flag
that allows or disallows the capability to insert a TPM
Owner.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 41
# Service Name State Description
103. TPM_SetOwnerPointer
This service will establish a reference to a specific secret
the TPM will use when executing an Owner-secret-related
OIAP or OSAP session. This command is only used to
provide an Owner Delegation function for legacy code
written for older TPM revisions which does not itself
support Delegation.
104. TPM_changeAuthAsymStart
This service starts the process of changing AuthData for an
entity. It sets up an OIAP session that must be retained for
use by the TPM_ChangeAuthAsymFinish command.
105. TPM_changeAuthAsymFinish This service completes the process that allows the owner of
an entity to change the AuthData for the entity.
Locality Controlled Services
106. TPM_HASH_START
This No Authentication Required service begins a SHA-1
hash sequence. Execution of this service is limited to
processes that are capable of calling TPM services that are
restricted to a specific address range assigned to Locality 4.
Atmel User guidance instructs system designers to restrict
the Locality 4 address range to the pre-boot code that
comprises the implicitly trusted Root of Trust for
Measurement.
107. TPM_HASH_DATA
This No Authentication Required service continues a SHA-
1 hash sequence in Locality 4. This command (and optional
subsequent HASH_DATA commands) contains the input
data for the SHA-1 hash operation.
108. TPM_HASH_END
This No Authentication Required service completes a SHA-
1 hash sequence in Locality 4. This command terminates
the input data for the SHA-1 hash operation and Extends
the resulting digest into specific Platform Configuration
Registers.
TPM Connection Services
109. TSC_PhysicalPresence
This service provides a capability to indicate a human’s
physical presence at the platform containing the TPM
module. The ability to execute the TSC_PhysicalPresence
command is restricted by Owner-controlled capabilities,
which includes the ability to temporarily or permanently
disable the service.
110. TSC_ResetEstablishmentBit
This No Authentication Required service provides a
nonvolatile indication that a TPM_HASH_START has been
executed, which may indicate to the system that a trusted
operating system has been loaded and verified.
Atmel Specific Services
111. TPM_SetState
This service is used to modify the state of the TPM State
Identifier register. The State Identifier register controls and
reports status of specific TPM capabilities like power loss
status, tamper status and failed auth timeouts.
112. TPM_OwnerSetState This CO service is used to set specified internal latches of
the TOE.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 42
# Service Name State Description
113. TPM_GetState This service is used to retrieve state information from the
TOE.
114. TPM_Identify This service is used to associate an TOE with an external
host.
115. TPM_VerifySignature This service is used to verify a digital signature.
116. TPM_BindV20
This RSA public key encryption service is used to wrap key
type data with a public key provided to the TPM, and
output the wrapped key blob. This is a public key operation
and is therefore not a protected capability. TPM_BindV20
is provided as service for platforms or applications where
RSA public key encryption capability does not exist outside
the TPM cryptographic boundary.
117. TPM_DeepSleep (I2C protocol only) This service is used to allow the TPM to enter a low current
state.
118. TPM_Lock_FIPS This service is used to query the device about its mode of
operation
10.2 Authentication
The TOE supports role based authentication mechanisms for the roles defined
above (see Roles and Services). Access to execute a TPM service that acts on a
Critical Security Parameter requires that the operator assume a specific role.
Assumption of the roles Crypto Officer and User is accomplished by completing
one of the three TPM authentication processes described below. For the roles
Physical Presence and No Auth Required authentication is implicit. Selection of
the role takes place at the same time as authentication of the operator to the target
TPM entity and assumption of the selected role.
Authorization data are held in protected storage within the TOE. The auth data are
protected from unauthorized disclosure, modification or substitution.
The TOE invokes a two-step process for services requiring role/entity
authentication. The first step is to open an authorization session. The second
step is to authenticate to the entity that is to be used.
The TOE provides two protocols for opening an authorization session to
authenticate to entities without revealing the entity authorization data over the
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 43
TOE’s interface. A third protocol is supported which enables authentication by the
TPM of a subject who has been delegated specific access privileges by the TPM
Owner. The delegated subject may be given privileges to execute specific TPM
Owner authorized commands. The TOE supports multiple sessions (concurrent
operators) and uses these sessions plus individual service authentication to
internally maintain the separation of the roles assumed by each operator and
corresponding services. In all cases, the protocol exchanges nonce-data so that
both sides of the transaction can compute a hash using shared secrets and nonce-
data. Nonce-data are random numbers generated by the host and the TOE to
prevent replay and man-in-the-middle attacks. The nonce-data values from the
TOE are generated using the TOE’s internal RNG. For convention, “odd” nonce-
data values come from the Host and “even” nonce-data values come from the TPM
(0 is an even number for this definition). The TOE enforces that the odd nonce-
data value changes for each request. The TOE changes the value of the even
nonce-data on each reply.
Each side generates the HMAC value and compares the internally generated
HMAC value to the value received. The entity authorization data is protected from
exposure on the communication bus using hashed objects sent over the interface.
The TPM authorization protocols are the following:
Object-Independent Authorization Protocol (OIAP)
Object-Specific Authorization Protocol (OSAP).
Delegation-Specific Authorization Protocol (DSAP).
All authorization session protocols use a “rolling nonce-data” paradigm. This
means that the TOE creates a new nonce-data value (i.e. random number) each
time the TOE uses the session for an HMAC calculation. This “rolling nonce-data”
paradigm ensures that the service requests are genuine and are not “replayed”.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 44
The first authorization session protocol is the OIAP, which enables the exchange
of nonce-data with a specific TOE. Once an OIAP authorization session is
established, its nonce-data can be included with the entity shared secret known by
the operator as input to an HMAC computation. The authorization session can live
indefinitely until either party requests the session termination. The OIAP protocol
requires that re-authorization is completed before allowing execution of each
requested service. The TPM_OIAP service starts the OIAP session.
The second protocol is the “Object Specific Authorization Protocol (OSAP)”. The
OSAP allows establishment of an authentication session for a single entity. Once
authorization has been completed successfully, multiple service requests for the
authorized entity can be executed without re-execution of the authorization
protocol. OSAP creates nonce-data that can authorize multiple commands without
additional session-establishment overhead, but is bound to a specific entity by the
secret auth value tied to the entity. The OSAP protocol verifies proof of knowledge
of the entity secret through the HMAC protocol. The TPM_OSAP service starts the
OSAP session. Once established, an OSAP session will remain open and valid
until the either party terminates the session by resetting the parameter
continueAuthSession in the service request command. The TPM_OSAP specifies
the entity to which the authorization session is bound.
In general, the calculated authentication HMAC value is in the following forms:
OIAP Session
HMAC (Entity Authorization Data; SHA1 (inParams); inAuthSetupParams)
where inParams = (ordinal, Input Arguments)
where inAuthSetupParams = (Authorization Handle; authLastNonceEven;
nonceOdd; continueAuthSession)
OSAP Session
HMAC (Shared Secret; SHA1 (inParams); inAuthSetupParams)
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 45
where Shared Secret = HMAC (Entity Authorization Data; nonceEvenOSAP;
nonceOddOSAP)
where inParams = (ordinal, Input Arguments)
where inAuthSetupParams = (authLastNonceEven; nonceOdd;
continueAuthSession)
The HMAC value is a 20-byte number that includes multiple 20-byte random
number components (2 random number components are used during the OIAP
Session; 4 random number components are used during the OSAP Session). In
this manner, the plaintext value of the actual Entity Authentication Data (20-byte
number) is not revealed over the TOE interface.
The DSAP protocol allows the TPM Owner to create a new AuthData value and to
delegate some selected TPM Owner privileges to that new AuthData value. As
with OIAP and OSAP, the DSAP protocol requires an exchange of nonces to set
up the authorization session. The TPM then uses the delegated AuthData value
for all HMAC calculations. Once authorization of the delegated subject is
completed by the TPM using the new AuthData value, usage of delegated
privileges occurs using the same auth session protocols established for all
authorized TPM commands.
10.2.1 Physical Presence
OIAP, OSAP and DSAP authorization protocols provide the authentication
mechanism for assuming the roles of Crypto Officer or User. A subset of the TPM
capabilities may be executed after assuming the role of Physical Presence (PP).
See Table 10 – TOE Services. While authorization is implicit for services requiring
the Physical Presence role, the TPM requires assertion of the Physical Presence
flag before allowing execution of these services. The capability for asserting the
Physical Presence flag should exist only after the TPM is initially powered up or
following a Reset event. Atmel User Guidance instructs system designers to
systematically disable the capability for asserting the Physical Presence flag after
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 46
completion of essential early boot operations. Once disabled, Physical Presence
may not be re-asserted until after a power down or Reset event.
The list of TPM commands that can be authorized by assertion of Physical
Presence:
TPM_SetOwnerInstall TPM_PhysicalEnable
TPM_PhysicalDisable
TPM_PhysicalSetDeactivated
TPM_SetTempDeactivated
TPM_SetOperatorAuth
TPM_ForceClear TPM_RevokeTrust TPM_NV_DefineSpace
TPM_NV_WriteValue
TPM_NV_WriteValueAuth
TPM_NV_ReadValue
TPM_NV_ReadValueAuth
10.2.2 Strength
The Entity Authentication Data is always a 20-byte number (160 bits), in which all
bits are equally probable. Therefore, the “random attempt” probability of guessing
the Authentication Data is 1 in 2160. This probability applies to all TPM
authorization protocols, OIAP, OSAP and DSAP.
10.2.2.1 AT97SC3204 TPM Strength
The AT97SC3204 communicates over a PCI bus [17] using an LPC protocol [16].
Each byte of command or data information transmitted to the TPM requires 15
LPC clock cycles. Each LPC clock cycle requires a minimum of 29.5 nsec for
guaranteed operation within the Atmel AT97SC3204 datasheet limits. For the
purposes of calculating data transmission rates for brute force authorization
attempts at the highest frequency the internal circuitry is capable of supporting, a
maximum frequency has been established by characterization of the product.
While operation is not guaranteed at this frequency, some TPM chips are able to
respond to data transmissions as high as 41 MHz, which corresponds to a
minimum clock cycle time of 24.39 nsec. This value can serve as the minimum
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 47
possible cycle time for calculation of success probability during brute force
repeated authorization attempts.
10.2.2.1.1 Strength calculation for OSAP
The shortest TPM command that requires authorization (TPM_OwnerClear)
comprises 55 bytes of command and data input, including the Owner
authorization value. If the authorization protocol is OSAP and the Failed
Authentication Attempts Counter has been disabled by the TPM Owner,
repeated authentication attempts are allowed without re-initiating a new
auth session. Receiving the return code from the TPM will always require a
minimum of 10 bytes. The minimum time required to input one attempted
guess of a TPM OSAP authorization value is therefore:
15 cycles/byte * 24.39 nsec * (55 + 10 bytes) = 23.7802 µsec
The maximum number of attempts per minute is:
60 sec/23.7802 µsec = 2,523,102 maximum attempts per minute
The probability that multiple attempts to use the OSAP authentication
mechanism during a one-minute period will succeed is:
2,523,102 / 2160 = 1.726376 x 10-42
10.2.2.1.2 Strength calculation for OIAP
If the authorization session is an OIAP session, the TPM will require re-
initiation of a new authorization session for every service request. This
requires a minimum of 10 input bytes followed by 38 bytes of output data.
To determine whether an authorization attempt has succeeded or failed, the
OIAP session must be followed by execution of an authorized command.
The shortest TPM command that requires authorization (TPM_OwnerClear)
comprises 55 bytes of command and data input, including the Owner
authorization value. Receiving the return code from the TPM will always
require a minimum of 10 bytes. Execution of multiple failed authorization
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 48
attempts will require that the TPM Failed Authentication Attempts Counter be
disabled. The minimum time required to input one attempted guess of a
TPM OIAP authorization value is therefore:
15 cycles/byte * 24.39 nsec * (55 + 10 + 10 + 38 bytes) = 41.341 µsec
The maximum number of attempts per minute is:
60 sec/41.341 µsec = 1,451,344
The probability that multiple attempts to use the OIAP authentication
mechanism during a one-minute period will succeed is:
1,451,344 / 2160 = 9.930498 x 10-43
10.2.2.1.3 Strength calculation for DSAP
The DSAP protocol behaves like OSAP, in that an authorization session
targets a single TPM entity or service. However a DSAP authorization
session will be automatically terminated at the conclusion of every failed
attempt at authorization of a delegated service request. Setup of delegation
tables and creation of delegation data blobs occurs before any attempted
authorization of a delegated command, and therefore the time required for
Delegation setup does not affect the probability that multiple authorization
attempts executed during a one minute period would succeed. However, an
authorization attempt executed using a DSAP can only be confirmed (pass
or fail) by attempting execution of a delegated command. Failure of the
delegated command terminates the DSAP session, so subsequent
authorization attempts must re-execute a DSAP command to initiate a new
session for each attempt.
The DSAP command requires a minimum of 145 input bytes, including the
delegation key blob or owner blob. The output of DSAP is 58 bytes.
The shortest TPM command that requires authorization (TPM_OwnerClear)
and can be delegated by the TPM owner comprises 55 bytes of command
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 49
and data input, including the Owner authorization value. If the authorization
protocol is DSAP and the delegation data blobs have been properly created
(using either TPM_CreateKeyDelegation or TPM_CreateOwnerDelegation)
then repeated DSAP authentication sessions are allowed without recreating
the delegation data.
Receiving the return code from the TPM will always require a minimum of
10 bytes. The minimum time required to input one attempted guess of a
TPM OSAP authorization value is therefore:
15 cycles/byte * 24.39 nsec * (145 + 58 + 55 + 10 bytes) = 98.0478 µsec
The maximum number of attempts per minute is:
60 sec/98.0478 µsec = 611947
The probability that multiple attempt to use the OSAP authentication
mechanism during a one-minute period will succeed is:
611,947 / 2160 = 4.187111 x 10-43
Table 12 – AT97SC3204 Authentication Strength
Authentication Type Single Attempt
Strength
Attempts per minute Strength (calculations shown in text above)
OIAP 1/2160
(6.842278 x 10-49) 9.930498 x 10-43
OSAP 1/2160
(6.842278 x 10-49) 1.726376 x 10-42
DSAP 1/2160
(6.842278 x 10-49) 4.187111 x 10-43
10.2.2.2 AT97SC3205 TPM Strength
The AT97SC3205 communicates over a SPI bus using a TCG outlined SPI
protocol [21] or a 2-wire interface “bit banged” over two GPIO ports. The 2-wire
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 50
interface requires more clock cycles per byte of communication compared to the
SPI interface, so only the SPI interface is considered in the below analysis.
At a minimum, to write one byte of command or data information transmitted to the
TPM requires 40 SPI clock cycles. Each SPI clock cycle requires a minimum of
41.6 nsec (24 MHz) and a maximum of 22.2 nsec (45 MHz) for guaranteed
operation within the Atmel AT97SC3205 datasheet limits. For the purposes of
calculating data transmission rates for brute force authorization attempts at the
highest frequency the SPI bus MISO pad circuitry is capable of supporting, a
maximum frequency has been established by characterization of the product.
While operation is not guaranteed at this frequency, some TPM chips are able to
respond to data transmissions at the higher 45 MHz rate, which corresponds to a
minimum clock cycle time of 22.2 nsec. This value can serve as the minimum
possible cycle time for calculation of success probability during brute force
repeated authorization attempts.
10.2.2.2.1 Strength calculation for OSAP
The shortest TPM command that requires authorization (TPM_OwnerClear)
comprises 55 bytes of command and data input, including the Owner authorization
value. If the authorization protocol is OSAP and the Failed Authentication Attempts
Counter has been disabled by the TPM Owner, repeated authentication attempts
are allowed without re-initiating a new auth session. Receiving the return code
from the TPM will always require a minimum of 10 bytes. The minimum time
required to input one attempted guess of a TPM OSAP authorization value is
therefore:
40 cycles/byte * 22.2 nsec * (55 + 10 bytes) = 57.720 µsec
The maximum number of attempts per minute is:
60 sec/23.7802 µsec = 1,039,501 maximum attempts per minute
The probability that multiple attempts to use the OSAP authentication mechanism
during a one-minute period will succeed is:
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 51
1,039,501 / 2160 = 7.11255 x 10-43
10.2.2.2.2 Strength calculation for OIAP
If the authorization session is an OIAP session, the TPM will require re-initiation of
a new authorization session for every service request. This requires a minimum of
10 input bytes followed by 38 bytes of output data. To determine whether an
authorization attempt has succeeded or failed, the OIAP session must be followed
by execution of an authorized command. The shortest TPM command that
requires authorization (TPM_OwnerClear) comprises 55 bytes of command and
data input, including the Owner authorization value. Receiving the return code from
the TPM will always require a minimum of 10 bytes. Execution of multiple failed
authorization attempts will require that the TPM Failed Authentication Attempts
Counter be disabled. The minimum time required to input one attempted guess of a
TPM OIAP authorization value is therefore:
40 cycles/byte * 22.2 nsec * (55 + 10 + 10 + 38 bytes) = 100.344 µsec
The maximum number of attempts per minute is:
60 sec/100.344 µsec = 597,967
The probability that multiple attempts to use the OIAP authentication mechanism
during a one-minute period will succeed is:
597,967/ 2160 = 4.09145 x 10-43
10.2.2.2.3 Strength calculation for DSAP
The DSAP protocol behaves like OSAP, in that an authorization session targets a
single TPM entity or service. However a DSAP authorization session will be
automatically terminated at the conclusion of every failed attempt at authorization
of a delegated service request. Setup of delegation tables and creation of
delegation data blobs occurs before any attempted authorization of a delegated
command, and therefore the time required for Delegation setup does not affect the
probability that multiple authorization attempts executed during a one minute
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 52
period would succeed. However, an authorization attempt executed using a DSAP
can only be confirmed (pass or fail) by attempting execution of a delegated
command. Failure of the delegated command terminates the DSAP session, so
subsequent authorization attempts must re-execute a DSAP command to initiate a
new session for each attempt.
The DSAP command requires a minimum of 145 input bytes, including the
delegation key blob or owner blob. The output of DSAP is 58 bytes.
The shortest TPM command that requires authorization (TPM_OwnerClear) and
can be delegated by the TPM owner comprises 55 bytes of command and data
input, including the Owner authorization value. If the authorization protocol is
DSAP and the delegation data blobs have been properly created (using either
TPM_CreateKeyDelegation or TPM_CreateOwnerDelegation) then repeated DSAP
authentication sessions are allowed without recreating the delegation data.
Receiving the return code from the TPM will always require a minimum of 10
bytes. The minimum time required to input one attempted guess of a TPM OSAP
authorization value is therefore:
40 cycles/byte * 22.2 nsec * (145 + 58 + 55 + 10 bytes) = 237.984 µsec
The maximum number of attempts per minute is:
60 sec/237.984 µsec = 252117
The probability that multiple attempt to use the OSAP authentication mechanism
during a one-minute period will succeed is:
252117 / 2160 = 1.72505 x 10-43
Table 13 – AT97SC3205 Authentication Strength
Authentication Type Single Attempt
Strength
Attempts per minute Strength
(calculations shown in text above)
OIAP 1/2160
(6.842278 x 10-49) 7.11255 x 10-43
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 53
OSAP 1/2160
(6.842278 x 10-49) 4.09145 x 10-43
DSAP 1/2160
(6.842278 x 10-49) 1.72505 x 10-43
10.2.3 Failed Authentication Attempts Counter
The TOE accumulates the total number of failed authorization attempts on any
entity in the FAILCOUNT register. A temporary lockout will occur if the number of
attempts (A) is such that:
A mod <failure modulus> = 0.
The size of the <failure modulus> is set by specifying the FAILMOD parameter in
the TPM_OwnerSetState service. The default value for FAILMOD is 3 (which
allows 8 failed auth attempts before imposing a lockout penalty). FAILMOD may
be modified using an Owner authorized command. Values greater than 10 are not
permitted. Table 14 specifies the relationship between the FAILMOD parameter
and the <failure modulus>.
Table 14 – Failure Modulus
FAILMOD <failure modulus>
0 Disabled
1 2
2 4
3 8
4 16
5 32
6 64
7 128
8 256
9 512
10 1024
The length of a lockout increases geometrically beginning with an initial lockout
time equal to approximately 1.1 minutes. Table 14 shows the approximate lockout
time given a specific FAILMOD and number of failed attempts.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 54
Table 15 – Lockout delay vs. FAILMOD value
Lockout #
FAILMOD Delay
1 2 3 4 5 6 7 8 9 10 1 2 4 8 16 32 64 128 256 512 1024 1.1 min
2 4 8 16 32 64 128 256 512 1024 2048 2.2 min
3 6 12 24 48 96 192 384 768 1536 3072 4.4 min
4 8 16 32 64 128 256 512 1024 2048 4096 8.8 min
5 10 20 40 80 160 320 640 1280 2560 5120 17.6 min
6 12 24 48 96 192 384 768 1536 3072 6144 35.2 min
7 14 28 56 112 224 448 896 1791 3584 7168 1.2 hr
8 16 32 64 128 256 512 1024 2048 4096 8192 2.3 hr
9 + 18 36 72 144 288 576 1152 2304 4608 9216 4.7 hr
10.2.3.1.1.1 If the TOE is in a locked-out condition, the TPM Owner is allowed
exactly one attempt to reset the lockout, using the Owner-authorized
command TPM_ResetLockValue. It is understood that this command
allows the TPM owner to perform a dictionary attack on other
authorization values by alternating a trial and this command. Similarly,
delegating this command allows the owner’s delegate to perform a
dictionary attack.
When the chip is in a lockout condition, all commands other those in the following
list will return the error code TPM_DEFEND_LOCK_RUNNING. If an unsuccessful
TPM_OwnerSetState has occurred, then the TPM_OwnerSetState command will
also return TPM_DEFEND_LOCK_RUNNING for the remainder of the lockout
interval.
List of commands that may execute successfully while the TPM is in lockout
condition:
TPM_ContinueSelfTest
TPM_FlushSpecific
TPM_Identify
TSC_PhysicalPresence
TSC_ResetEstablishmentBit
TPM_SHA1Complete
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 55
TPM_DirRead
TPM_GetCapability
TPM_OIAP
TPM_PCR_Reset
TPM_ResetLockValue
TPM_SHA1CompleteExtend
TPM_DSAP TPM_GetState
TPM_OSAP TPM_ReadCounter
TPM_SHA1Start
TPM_Startup
TPM_Extend
TPM_GetTestResult
TPM_OwnerSetState
TPM_Reset
TPM_SHA1Update
TPM_Terminate_Handle
10.3 Identification
To install TCG identities into the TOE, the CO performs the TPM_MakeIdentity and
TPM_ActivateIdentity services. The concept of a TCG Identity in a TPM does not
correspond to the definition of Identity in FIPS 140-2. A TPM Identity is an alias to
one and only one TPM Endorsement Key, which is cryptographically unique.
Creation of a TPM identity (TPM_MakeIdentity) invokes creation of a
corresponding Identity key. A TPM Identity key may sign status data generated
internally by the TPM. The identity key may be certified by a third party process
that takes place outside the TPM cryptographic boundary.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 56
11 Access Control Policy
Security Level 1
The following sub-sections describe the identification and usage of Critical Security
Parameters (CSPs).
11.1 Definition of Critical Security Parameters (CSPs) Table 16 – CSP Identification describes the CSPs that may reside in the module. Services that create, modify or make use of CSPs are listed in the Services column, which references services listed in Table 10 – TOE Services.
Table 16 – CSP Identification
CSP Algorithm Size (bits)
Description Services
(listed in Table 10)
Endorsement
Key (EK)
RSA 2048 Internally generated 2048-bit RSA key pair.
Used to decrypt Owner auth value and
Identity certificates. Can be zeroized only if it
is generated using the service
TPM_createRevokableEK.
7, 24, 71, 72, 73, 78,
79, 80, 82,
Storage root
Key (SRK)
RSA 2048 Key-encrypting key. Root key for the TPM
storage hierarchy. Internally generated by the
service TPM_takeOwnership. Child keys of
the SRK may be created in the TPM Storage
hierarchy using the service createWrapKey.
6, 7, 25, 81
Private Storage
Keys
RSA 2048 RSA private keys used in unwrapping
operations. Usage properties are determined
by the Key property values stored and
protected with the key data. Key data
determines key usage properties that may
restrict key usage for Encryption or Signature
services. Key Migration capability.
7, 15, 16, 17, 18, 19,
20, 21, 22, 29, 31,
32, 35, 82, 88, 89, 91
Seal Keys RSA 2048 RSA private Storage Keys used to unwrap
Sealed data blobs. Unwrapping operations
require verification of TPM state in addition
to standard user authentication.
15, 16, 19, 20, 21
AuthChange
Keys
RSA 1024
2048
An ephemeral key whose use is restricted to
providing confidentiality for new
authentication data in the process of changing
authentication values.
104, 105
Private
Signature Keys.
Private Identity
Keys
RSA 1024
2048
RSA private keys used in digital signature
operations. Usage properties are determined
by the Key property values stored and
protected with the key data.
11, 12, 15, 16, 19,
22, 40, 41, 42, 46,
81, 82, 92
Private
Encryption
Keys. Bind
RSA 1024
2048
RSA private keys used to encrypt key type
data for storage outside the cryptographic
boundary. Created by the service
15, 16, 17, 18, 19,
20, 21
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 57
Keys TPM_createWrapKey. Not allowed to
perform Signature operations.
Migrate Keys RSA 1024
2048
TPM_MigrateKey decrypts an input packet
(coming from TPM_CreateMigrationBlob or
TPM_CMK_CreateBlob) and then re-
encrypts it with a public key that was input
with the command.
26, 27, 28, 29, 30,
31, 32, 33, 34, 35
tpmProof N/A 160 Internally generated secret value used to
verify proof of origin for encrypted objects
created by the TPM and stored outside the
module.
3, 7, 15, 17, 19, 20,
21, 16, 26, 28, 30,
32, 33, 31, 35, 41,
51, 58, 59, 80, 82,
83, 84, 87, 88
contextKey AES 128 Symmetric key used to provide internal
encryption and decryption of Context blobs.
59, 60
delegateKey AES 128 Symmetric key used to encrypt and decrypt
sensitive data passed to the module with
Delegation service requests.
83, 84, 85, 86, 87,
88, 89
daaBlobKey AES 128 Symmetric key used to encrypt sensitive data
used to build a TPM_DAA_TPM structure
that is exported from the module
57, 58
transportKey AES 128 Symmetric key used to encrypt parameters
from TPM commands that are passed to the
module within a Transport session
90, 91, 92
Activate
Identity Key
AES 128 Symmetric session key created by a
Certification authority, passed to the module
as an encrypted parameter of
TPM_activateIdentity and used to decrypt the
TPM_IDENTITY_CREDENTIAL.
81
HMAC Keys HMAC 160 SHA-1 HMAC keys used in authorization
protocols. The HMAC key is specified by the
TPM_AUTHDATA description in an OIAP
or Transport session. For an OSAP or DSAP
session, the HMAC key is the shared secret
that was calculated during the session setup.
5, 6, 11, 12, 13, 15,
16, 17, 18, 19, 20,
21, 23, 24, 25, 26,
27, 28, 29, 30, 31,
32, 33, 34, 35, 40,
41, 42, 46, 52, 53,
56, 57, 58, 61, 62,
63, 64, 65, 66, 77,
79, 80, 81, 82, 83,
84, 85, 86, 88, 89,
90, 91, 92, 96, 97,
98, 99, 100, 110
Platform
Configuration
Registers
(PCRs)
SHA-1 160 An array of 160-bit registers held in
EEPROM or RAM memory as specified in
the TCG TPM PC Client TPM specification
[5]. A PCR will contain SHA-1 hash results
from measurements of the internal TPM state
and the external system state.
7, 8, 10, 11, 12, 15,
16, 17, 19, 21, 31,
32, 39, 40, 41, 51,
62, 63, 64, 81, 82,
87,
Authentication
data
HMAC 160 Auth data held in protected EEPROM storage
for permanent TPM entities (Owner and
SRK) and for TPM entities that are not
cryptographic keys, such as counters,
NVStorage indices, Transport sessions,
Delegations sessions.
5, 6, 11, 12, 13, 15,
16, 17, 18, 19, 20,
21, 23, 24, 25, 26,
27, 28, 29, 30, 31,
32, 33, 34, 35, 40,
41, 42, 46, 52, 53,
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 58
56, 57, 58, 61, 62,
63, 64, 65, 66, 77,
79, 80, 81, 82, 83,
84, 85, 86, 88, 89,
90, 91, 92, 96, 97,
98, 99, 100, 110
Monotonic
Counters
N/A N/A Continuously increasing counter. Always
readable, but can’t be modified, reset or
deleted by any external or internal process.
52, 74, 76, 77, 97
Tick Counter N/A N/A Internal counter, reset on power-up. Records
the number of clocks since the start of a Tick
session.
90, 91, 92, 95, 96,
NonVolatile
Storage
N/A N/A Protected nonvolatile EEPROM memory
reserved for user data.
61, 64, 65,
RNG Seed SHA-1 160 Input to RNG. Replaced by the new RNG
output value each time the RNG is called.
1, 2, 3, 4, 5, 6, 7, 8,
9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19,
20, 21, 22, 23, 24,
25, 26, 27, 28, 29,
30, 31, 32, 33, 34,
35, 36, 37, 38, 39,
40, 41, 42, 43, 44,
45, 46, 47, 48, 49,
50, 51, 52, 53, 54,
55, 56, 57, 58, 59,
60, 61, 62, 63, 64,
65, 66, 67, 68, 69,
70, 71, 72, 73, 74,
75, 76, 77, 78, 79,
80, 81, 82, 83, 84,
85, 86, 87, 88, 89,
90, 91, 92, 93, 94,
95, 96, 97, 98, 99,
100, 101, 102, 103,
104, 105, 106, 107,
108, 109, 110, 111,
112, 113, 114, 115
RNG Seed Key SHA-1 160 Input to RNG. Receives input from
nondeterministic entropy generator.
Permanent
Data, state
flags, tamper
registers and
critical data
N/A N/A Data, symmetric keys, secrets and state flags
held in TPM protected EEPROM memory.
These include: revMajor, revMinor, ekReset,
operatorAuth, authDIR, SRKauth,
ownerAuth, contextKey, pcrAttrib,
delegateKey, tpmProof, FIPS indicator,
rngState, familyTable, delegateTable,
lastFamilyID, noOwnerNVWrite,
restrictDelegate, tpmDAAseed, daaProof,
daaBlobKey, deactivated, disableForceClear,
PhysicalPresence, physicalPresenceLock,
bGlobalLock. The Tamper registers store a
record of tamper events recorded if operation
outside the specified environmental
conditions is detected (voltage, temperature,
frequency, hardware shield).
1, 2, 3, 4, 5, 6, 7, 8,
9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19,
20, 21, 22, 23, 24,
25, 26, 27, 28, 29,
30, 31, 32, 33, 34,
35, 36, 37, 38, 39,
40, 41, 42, 43, 44,
45, 46, 47, 48, 49,
50, 51, 52, 53, 54,
55, 56, 57, 58, 59,
60, 61, 62, 63, 64,
65, 66, 67, 68, 69,
70, 71, 72, 73, 74,
75, 76, 77, 78, 79,
80, 81, 82, 83, 84,
85, 86, 87, 88, 89,
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 59
90, 91, 92, 93, 94,
95, 96, 97, 98, 99,
100, 101, 102, 103,
104, 105, 106, 107,
108, 109, 110, 111,
112, 113, 114, 115
KAT values N/A N/A Protected stored values used by power-up
Known Answer Tests. Includes fixed results
for RNG, RSA, AES, HMAC, SHA-1, ROM
integrity test, EEPROM integrity test.
45, 46
Executable
firmware
N/A N/A Executable software stored in protected TPM
memory (both ROM and EEPROM).
Contains support for execution of all TPM
services including cryptographic operations.
1, 2, 3, 4, 5, 6, 7, 8,
9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19,
20, 21, 22, 23, 24,
25, 26, 27, 28, 29,
30, 31, 32, 33, 34,
35, 36, 37, 38, 39,
40, 41, 42, 43, 44,
45, 46, 47, 48, 49,
50, 51, 52, 53, 54,
55, 56, 57, 58, 59,
60, 61, 62, 63, 64,
65, 66, 67, 68, 69,
70, 71, 72, 73, 74,
75, 76, 77, 78, 79,
80, 81, 82, 83, 84,
85, 86, 87, 88, 89,
90, 91, 92, 93, 94,
95, 96, 97, 98, 99,
100, 101, 102, 103,
104, 105, 106, 107,
108, 109, 110, 111,
112, 113, 114, 115
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 60
11.2 Definition of Public Keys
The following Public Keys may be contained within the module
Public Key Description
Signature verification
Key (public portion of
Endorsement Key,
Signing Key, Identity
Key)
RSA public/private key pairs may be loaded into the TPM and made available for use
by other TPM capabilities. Usage is gated by TPM access control mechanisms specified
by parameters included with each loaded key pair. Reading the Public portion of a
loaded key may or may not require authorization of the key Owner. Loaded public keys
may be used to verify digital signatures. The public Endorsement Key is held within
TPM protected memory space.
RSA encryption key
(public portion of
Storage Key, Seal Key,
AuthChange Key,
Migrate Key)
Loaded RSA public Storage keys may be used as Parent keys to encrypt data blobs to be
exported for storage of Child keys and key data outside the cryptographic boundary.
Loaded and authorized public Storage keys may be used to create encrypted Migration
blobs that are exported from the TPM and may be subsequently imported by a different
TPM containing the corresponding private key. A loaded public key may be used to
certify that another key residing in the TPM is protected by the TPM and will never be
revealed.
BindV20 public key This RSA public key is used to wrap arbitrary unprotected data with a public key
provided to the TPM, and output the wrapped data blob. This is a public key operation
and is therefore not a protected capability. The BindV20 public key is entered into the
TPM as a plaintext parameter of the TPM_BindV20 service. The private key associated
public key is not loaded into the TPM at the time the public key encryption operation
takes place. TPM_BindV20 is provided as an unprotected service for platforms or
applications where RSA public key encryption capability does not exist outside the
TPM cryptographic boundary.
11.3 CSP Access Type Table 17 describes the CSP access types.
Table 17 – CSP Access Type
Access Type Description
Generate Private (Gp) “Generate Private” is defined as the creation of an RSA key pair.
Generate Secret (Gs) “Generate Secret” is defined as the creation of a Secret.
Sign (S) “Sign” is defined as the process in which an RSA private key is employed to generate a
digital signature.
Key Unwrap (Ku) “Key Unwrap” is defined as the process in which an RSA private key is employed to
decrypt a Secret.
Key Wrap (Kw) “Key Wrap” is defined as the process in which an RSA public key is employed to
encrypt a Secret or RSA private key.
Use (U) “Use” is defined as a process that uses a Secret.
Delete (D) “Delete” is defined as the zeroization of an RSA private key.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 61
11.4 Logical Access Policy Table 18 describes the Logical Access policy.
Table 18 – Logical Access
Services Roles CSPs
# Name CO User PP NoAuth Private Secret
1. TPM_OIAP X - -
2. TPM_OSAP X - -
3. TPM_DSAP X - -
4. TPM_Terminate_Handle X - -
5. TPM_ChangeAuth X - U ; Gs
6. TPM_ChangeAuthOwner X - U ; Gs
7. TPM_TakeOwnership X Ku ; Gp U ; Gs
8. TPM_Extend X - -
9. TPM_PcrRead X - -
10. TPM_PCR_Reset X - -
11. TPM_Quote X S U
12. TPM_Quote2 X S U
13. TPM_DirWriteAuth X - U
14. TPM_DirRead X - -
15. TPM_Seal X S U ; Kw
16. TPM_Sealx X S U;Kw;Ku
17. TPM_Unseal X Ku U
18. TPM_UnBind X Ku U
19. TPM_CreateWrapKey X Gp U ; Kw
20. TPM_LoadKey X (X1) Ku U
21. TPM_LoadKey2 X (X1) Ku U
22. TPM_EvictKey X D -
23. TPM_GetPubKey X - U
24. TPM_OwnerReadPubek X - U
25. TPM_OwnerReadInternalPub X - U
26. TPM_CreateMigrationBlob X Kw U
27. TPM_ConvertMigrationBlob X Kw U
28. TPM_AuthorizeMigrationKey X - U
29. TPM_MigrateKey X Ku U; Kw
30. TPM_CMK_ApproveMA X - U
31. TPM_CMK_CreateBlob X Kw U
32. TPM_CMK_CreateKey X Gp U; Kw
33. TPM_CMK_CreateTicket X - U
34. TPM_CMK_SetRestrictions X - U
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 62
Services Roles CSPs
# Name CO User PP NoAuth Private Secret
35. TPM_CMK_ConvertMigration X - U; Kw
36. TPM_SHA1Start X - -
37. TPM_ SHA1Update X - -
38. TPM_ SHA1Complete X - -
39. TPM_ SHA1CompleteExtend X - -
40. TPM_CertifyKey X S U
41. TPM_CertifyKey2 X S U
42. TPM_Sign X S U
43. TPM_GetRandom X - -
44. TPM_StirRandom X - -
45. TPM_SelfTestFull X - -
46. TPM_CertifySelfTest X S U
47. TPM_ContinueSelfTest X - -
48. TPM_GetTestResult X - -
49. TPM_Reset X - -
50. TPM_SaveState X - -
51. TPM_StartUp X - -
52. TPM_OwnerClear X D U
53. TPM_DisableOwnerClear X - U
54. TPM_DisableForceClear X - -
55. TPM_GetCapability X - -
56. TPM_ GetCapabilityOwner X - U
57. TPM_ DAA_JOIN X - U
58. TPM_DAA_SIGN X - U
59. TPM_SaveContext X - -
60. TPM_LoadContext X - -
61. TPM_NV_DefineSpace X X - U
62. TPM_NV_ReadValue X X - U
63. TPM_NV_ReadValueAuth X X - U
64. TPM_NV_WriteValue X X - U
65. TPM_NV_WriteValueAuth X X - U
66. TPM_OwnerSetDisable X - U
67. TPM_PhysicalDisable X - -
68. TPM_PhysicalEnable X - -
69. TPM_PhysicalSetDeactivated X - -
70. TPM_SetTempDeactivated X X - U
71. TPM_CreateEndorsementKeyPair X Gp -
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 63
Services Roles CSPs
# Name CO User PP NoAuth Private Secret
72. TPM_CreateRevocableEK X Gp -
73. TPM_RevokeTrust X - -
74. TPM_CreateCounter X - U
75. TPM_ReadCounter X - -
76. TPM_ReleaseCounter X - U
77. TPM_ReleaseCounterOwner X - U
78. TPM_ReadPubek X - -
79. TPM_DisablePubekRead X - U
80. TPM_OwnerReadPubek X - U
81. TPM_MakeIdentity X Gp; Kw;
S U
82. TPM_ActivateIdentity X Ku U
83. TPM_Delegate_CreateKeyDelegation X - U; Kw
84. TPM_Delegate_CreateOwnerDelegation X - U; Kw
85. TPM_Delegate_LoadOwnerDelegation X - U
86. TPM_Delegate_Manage X - U
87. TPM_Delegate_ReadTable X - -
88. TPM_Delegate_UpdateVerification X Ku U
89. TPM_Delegate_VerifyDelegation X Ku U
90. TPM_EstablishTransport X - U
91. TPM_ExecuteTransport X Ku U
92. TPM_ReleaseTransportSigned X S U
93. TPM_FlushSpecific X - -
94. TPM_ForceClear X - -
95. TPM_GetTicks X - -
96. TPM_TickStampBlob X - U
97. TPM_IncrementCounter X - U
98. TPM_KeyControlOwner X - U
99. TPM_ResetLockValue X - U
100. TPM_SetCapability X - U
101. TPM_SetOperatorAuth X - -
102. TPM_SetOwnerInstall X - -
103. TPM_SetOwnerPointer X - -
104. TPM_changeAuthAsymStart X - -
105. TPM_changeAuthAsymStart X - -
Locality Controlled Functions
106. TPM_HASH_START X - -
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 64
Services Roles CSPs
# Name CO User PP NoAuth Private Secret
107. TPM_HASH_DATA X - -
108. TPM_HASH_END X - -
TPM Connection Services
109. TSC_PhysicalPresence X - -
110. TSC_ResetEstablishmentBit X - -
Atmel Specific Services
111. TPM_SetState X - -
112. TPM_OwnerSetState X - U
113. TPM_GetState X - -
114. TPM_Identify X - -
115. TPM_VerifySignature X - -
116. TPM_BindV20 X Kw
117. TPM_DeepSleep (I2C protocol only) X - -
118. TPM_Lock_FIPS X - -
Note 1: For WIN8 FIPS configuration this command can be run with a NoAuth role.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 65
12 Physical Security Policy
Security Level 1
The TOE meets Physical Security protection requirements for FIPS level 1.
Physical security at level 1 assumes no physical protection of CSPs. No actions
are required by the operator(s) to ensure that physical security is maintained.
Some physical security protection mechanisms beyond the requirements for level
1 have been implemented and are described in the section titled Mitigation of
Other Attacks Policy.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 66
13 Operational Environment
The FIPS 140-2 level 1 operational environment requirements are not applicable to
the TOE. The TOE Operational Environment is non-modifiable. No mechanism
exists to upgrade, read, modify or delete the module firmware or hardware. No
general purpose operating system is supported or used by the module. Execution
of module services is restricted to a single user operating on a single service at
any time.
The TOE executable firmware is split into two portions. All executable firmware is
stored in protected nonvolatile memory – either ROM or EEPROM. The portion of
executable firmware stored in ROM is established in the chip metal layers during
the wafer fabrication process. The portion of executable code stored in EEPROM
is written and locked into TPM protected EEPROM during the chip production test
process. EEPROM executable code cannot be read by any process except
through internal execution mechanisms performing explicit execution of valid
service requests during the lifetime of the module. EEPROM executable code is
stored in memory locations that are protected from modification during the lifetime
of the module. Integrity verification of executable firmware is performed separately
for ROM and EEPROM code.
Integrity of executable firmware stored in ROM and EEPROM is verified through a
SHA-1 hash of the code which is executed during the power on self tests and
compared to a value stored in nonvolatile memory when the EEPROM image is
loaded and locked into the module. The stored value stored in EEPROM is
protected from exposure, modification or deletion. The value cannot be changed
for the lifetime of the module.
The TOE does not implement an operating system as defined by FIPS 140-2.
Entry of data into the module is controlled by mechanisms for command, status
and data communication specified in the TPM Interface Specification (TCG PC
Client Specific TPM Interface Specification (TIS); Specification Version 1.21;
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 67
Revision 1.00; 11 April, 2011; Trusted Computing Group for LPC protocol units
and TPM Interface Specification (TCG PC Client Specific TPM Interface
Specification (TIS); Specification Version 1.3; Revision 27; 21 March 2013;
Trusted Computing Group for SPI protocol units. Entry of data in I2C protocol units
conform to the I2C Bus Specification and User Manual, Rev 5, 9 October 2012.
The set of possible functions is limited to the services listed in Table 10 – TOE
Services and specified in the TCG TPM Main Specification [2, 3, 4]. Any input data
or service requests outside those listed in Table 10 will result in failure of the
requested service, transmission of a failure code by the TPM and a return to the
idle state. Execution is restricted to a single service at any one time. Initiation of
any service will cause the module state machine to transition to the service
execution state. While the module is in the execution state, requests for new
services will be ignored. The module will continue execution until completion,
either passing or failing, at which time the module will return a status code and
transition to the idle state.
The TOE hardware is built using a proprietary wafer fabrication process and
cannot be modified during the lifetime of the module.
13.1 Operating ranges
Normal operating ranges are defined in the respective TOE datasheet [8, 18,
19]. Operation outside these ranges is not guaranteed, but physical security
mechanisms are implemented to assure that CSPs remain protected from
unauthorized disclosure, usage, modification or deletion.
Temperature: The normal operating temperature range of the TOE is -40°C
to +85°C.
Voltage: The normal operating voltage range of the TOE is 3.0V to 3.6V.
Frequency:
LPC units: The normal operating frequency for the LCLK input pin is
32.25 MHz to 33.90 MHz. The minimum clock period is 29.5 nsec. The
maximum clock period is 31.0 nsec.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 68
SPI, I2C units: The internal system clock is created by an internal
oscillator cell that has no external access.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 69
14 Mitigation of Other Attacks Policy
Security Level 1
The TOE meets Physical Security protection requirements for FIPS level 1. Physical security at level 1 assumes no physical protection of CSPs. Physical security protection mechanisms beyond the level 1 requirements have been implemented and are described in this section.
14.1 Housing The TOE is housed in an opaque, non-removable, tamper evident, package. Attempts to access the internal IC are detectable by visual inspection of the package.
14.2 Internal Tamper Detection The TOE contains an active metal shield that covers the internal TPM circuitry and memory components. Cutting, removing or modifying the shield layer will cause the TPM to Reset and enter a FAIL mode.
14.3 Environmental protection The TOE contains circuitry which will detect environmental conditions outside the range described in the product datasheet. Temperature, power supply voltage and the clock pulse width are continuously monitored. If conditions exist outside the range determined by the TPM tamper detection circuitry, the chip will Reset and will enter a FAILURE mode. The chip will remain Reset and in FAIL mode as long as the environmental condition causing the tamper event persists.
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 70
15 References Reference Number
Reference Title
1 FIPS PUB 140-2, Security Requirements for Cryptographic Modules / National Institute of Standards and Technology (NIST), CHANGE NOTICES (12-03-2002)
2 TPM Main; Part 1 Design Principles; Specification Version 1.2; Level 2; Revision 116; 1 March, 2011; Trusted Computing Group
3 TPM Main; Part 2 Structures; Specification Version 1.2; Level 2; Revision 116; 11 April, 2011; Trusted Computing Group
4 TPM Main; Part 3 Commands; Specification Version 1.2; Level 2; Revision 116; 1 March, 2011; Trusted Computing Group
5 TCG PC Client Specific TPM Interface Specification (TIS); Specification Version 1.21; Revision 1.00; 11 April, 2011; Trusted Computing Group
6 TCG PC Client Specific Implementation Specification for Conventional BIOS; Specification Version 1.21; Revision 1.00; 24 February, 2012 for TPM Family 1.2; Level 2.
7 Trusted Platform Module Atmel-Specific Commands Reference User Guide; AT97SC3204; Atmel Corporation; 300B—TPM—02/08
8 Trusted Platform Module; AT97SC3204; LPC Interface Datasheet 5294IX; 10-2013
9 Trusted Computing Group Physical Presence Interface Specification; Specification version 1.2; Version 1.20; Revision 1.00; February 10, 2011
10 TCG 1.2 TPM Physical Presence Management; Atmel Corporation
11 National Institute of Standards and Technology and Communications Security Establishment, Derived Test Requirements(DTR) for FIPS PUB 140-2, Security Requirements for Cryptographic Modules
12 National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code, NIST Computer Security Division Page 3 07/26/2011, (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008.
13 National Institute of Standards and Technology, Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules
14 National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, March, 2012.
15 National Institute of Standards and Technology, Annex C: Approved Random Number Generators for FIPS 140-2, Security Requirements for Cryptographic Modules.
16 Intel Low Pin Count (LPC) Interface Specification; Revision 1.1; August, 2002
17 PCI Local Bus Specification; Revision 2.2; December 18, 1998
18 Trusted Platform Module; AT97SC3205; SPI Interface Datasheet 8820GX; 12-2013
19 Trusted Platform Module; AT97SC3205T; 2-Wire Serial Interface Datasheet 8875BX; 12-2013
20 Atmel Specific TPM Commands Reference Guide; AT97SC3205; Application Note 5300EX; 12-2013; Atmel Corporation
21 TCG PC Client Specific TPM Interface Specification (TIS); Specification Version 1.3; Revision 27; 21 March 2013; Trusted Computing Group
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 71
22 I2C Bus Specification and User Manual, UM10204; Rev 5, 9 October 2012
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 72
16 Definitions and Acronyms Term Description
AES Symmetric cryptographic algorithm. Reference: http://csrc.nist.gov/CryptoToolkit/aes/
AIK
Attestation Identity Key: a special purpose signature key created by the TPM; an asymmetric key, the private portion of which is non-migratable and protected by the TPM. The public portion of an AIK is part of the AIK Credential, issued using either the Privacy CA or DAA protocol. An AIK can only be created by the TPM Owner or a delegate authorized by the TPM Owner. The AIK can be used for platform authentication, platform attestation and certification of keys.
AIK Credential
A credential issued by a Privacy CA that contains the public portion of an AIK key signed by a Privacy CA. The meaning and significance of the fields and the Privacy CA signature is a matter of policy. Typically it states that the public key is associated with a valid TPM.
Attestation
The process of vouching for the accuracy of information. External entities can attest to shielded locations, protected capabilities, and Roots of Trust. A platform can attest to its description of platform characteristics that affect the integrity (trustworthiness) of a platform. Both forms of attestation require reliable evidence of the attesting entity.
Attestation by the TPM
An operation that provides proof of data known to the TPM. This is done by digitally signing specific internal TPM data using an AIK. The acceptance and validity of both the integrity measurements and the AIK itself are determined by the Verifier. The AIK is obtained using either the Privacy CA or DAA protocol.
Attestation of the Platform
An operation that provides proof of a set of the platform’s integrity measurements. This is done by digitally signing a set of PCRs using an AIK in the TPM.
Attestation to the Platform
An operation that provides proof that a platform can be trusted to report integrity measurements; performed using the set or subset of the credentials associated with the platform; used to create an AIK credential.
Authentication of the platform
Provides proof of a claimed platform identity. The claimed identity may or may not be related to the user or any actions performed by the user. Platform Authentication is performed using any non-migratable key (e.g., an AIK). Since there are an unlimited number of non-migratable keys associated with the TPM there are an unlimited number of identities that can be authenticated.
Blob Generally meaning encrypted data that is generated by a TPM (for use in Protected Storage, or for saving context outside the TPM)
CMK
Certified Migration Key: a key whose migration from a TPM requires an authorization token created with private keys. The corresponding public keys are incorporated in the CMK and referenced when a TPM produces a credential describing the CMK. If a CMK credential is signed by an AIK, an external entity has evidence that a particular key (1) is protected by a valid TPM and (2) requires permission from a
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 73
specific authority before it can be copied.
CRTM Core RTM: the instructions executed by the platform when it acts as the RTM (Root of Trust for Measurement)
Challenger (Properly “Identity Challenger”) An entity that requests and has the ability to interpret integrity metrics.
Conformance Credential
A credential that vouches for the conformance of the TPM and the TBB to the TCG specifications
DAA Direct Anonymous Attestation: a protocol for vouching for an AIK using zero-knowledge-proof technology.
DAA Issuer
A known and recognized entity that interacts with the TPM to install a set of DAA-credentials in the TPM. The DAA issuer provides certification that the holder of such DAA-credentials meets some criteria defined by the Issuer. In many cases the Issuer will be the platform manufacturer, but other entities can become issuers.
Delegation A process that allows the Owner to delegate a subset of the Owner’s privileges (to perform specific TPM operations).
Denial-of-Service (attack)
An attack which has no affect on information except to prevent its use
Digest The resulting output of a SHA-1 hash operation
Endorsement Key
EK; an RSA Key pair composed of a public key (EKpu) and private (EKpr). The EK is used to recognize a genuine TPM. The EK is used to decrypt information sent to a TPM in the Privacy CA and DAA protocols, and during the installation of an Owner in the TPM.
Endorsement Key Credential
A credential containing the EKpu that asserts that the holder of the EKpr is a TPM conforming to TCG specifications. Most TPMs are implemented in hardware, but this is not mandatory.
Integrity challenge A process used to send accurate integrity measurements and PCR values to a challenger.
Integrity Measurement
(Metrics)
The process of obtaining metrics of platform characteristics that affect the integrity (trustworthiness) of a platform; storing those metrics; and putting digests of those metrics in shielded locations (called Platform Configuration Registers: PCRs)
Integrity Storage Storage of integrity metrics in a log and storage of a digest of those metrics in PCRs.
Integrity Reporting The process of attesting to the contents of integrity storage.
Locality A mechanism for supporting a privilege hierarchy in the platform
Migratable (key) A key which is not bound to a specific TPM and with suitable authorization can be used outside a TPM or moved to another TPM.
Non-migratable (key)
A key which is bound to a single TPM; a key that is (statistically) unique to a single TPM but may be moved between TPMs using the maintenance process
Non-volatile A shielded storage location whose contents are guaranteed to persist
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 74
(shielded location) between uses by Protected Capabilities.
Operator Anyone who has physical access to a platform
Owner The entity responsible for the platform’s security and privacy policies, that is distinguished by knowledge of the Owner authorization data.
PCR Platform Configuration Register: a shielded location containing a digest of integrity digests.
Platform Credential A credential, typically a digital certificate, attesting that a specific platform contains a unique TPM and TBB.
Protected Capabilities
The set of commands with exclusive permission to access shielded locations
Privacy CA
An entity, typically a Trusted Third Party (TTP), that blinds a verifier to a platform’s EK. An entity (typically well known and recognized) trusted by both the Owner and the Verifier, that will issue AIK Credentials. A Verifier may also adopt the role of a Privacy CA. In that case the roles are co-located but are logically distinct.
Root of Trust (component)
A component that must always behave in the expected manner, because its misbehavior cannot be detected. The complete set of Roots of Trust has at least the minimum set of functions to enable a description of the platform characteristics that affect the trustworthiness of the platform.
RSA Reference: http://www.rsa.com
RTM
“Root of Trust for Measurement”: a computing engine capable of making inherently reliable integrity measurements. Typically the normal platform computing engine, controlled by the CRTM. This is the root of the chain of transitive trust.
RTS “Root of Trust for Storage”: a computing engine capable of maintaining an accurate summary of values of integrity digests and the sequence of digests.
RTR “Root of Trust for Reporting”: a computing engine capable of reliably reporting information held by the RTS.
SHA-1 Reference: http://csrc.ncsl.nist.gov/cryptval/shs.html
Shielded Location A place (memory, register, etc.) where it is safe to operate on sensitive data; data locations that can be accessed only by “protected capabilities”.
SRK
Storage Root Key: the root key of a hierarchy of keys associated with a TPM’s Protected Storage function; a non-migratable key generated within a TPM.
TCG Trusted Computing Group
TSS Trusted Software Stack:software services that facilitate the use of the TPM but do not require the protections afforded to the TPM.
TBB Trusted Building Block: the parts of the Root of Trust that do not have shielded locations or protected capabilities. Normally includes just the
Atmel Trusted Platform Module AT97SC3204/AT97SC3205 Security Policy
Atmel Corporation Version 4.3, April 03, 2014
FIPS 140-2 Level 1 Page 75
instructions for the RTM and the TPM initialization functions (reset, etc.). Typically platform-specific. One example of a TBB is the combination of the CRTM, connection of the CRTM storage to a motherboard, the connection of the TPM to a motherboard, and mechanisms for determining Physical Presence.
Transitive Trust
Also known as “Inductive Trust”, in this process the Root of Trust gives a trustworthy description of a second group of functions. Based on this description, an interested entity can determine the trust it is to place in this second group of functions. If the interested entity determines that the trust level of the second group of functions is acceptable, the trust boundary is extended from the Root of Trust to include the second group of functions. In this case, the process can be iterated. The second group of functions can give a trustworthy description of the third group of functions, etc. Transitive trust is used to provide a trustworthy description of platform characteristics, and also to prove that non-migratable keys are non-migratable
Trust Trust is the expectation that a device will behave in a particular manner for a specific purpose.
TPM
Trusted Platform Module: an implementation of the functions defined in the TCG Trusted Platform Module Specification; the set of Roots of Trust with shielded locations and protected capabilities. Normally includes just the RTS and the RTR.
User An entity that is making use of the TPM capabilities
Validation Credential
A credential that states values of measurements that should be obtained when measuring a particular part of the platform when the part is functioning as expected.
Verifier
In the DAA model: the entity that interacts with the TPM using the DAA protocol to verify that the TPM has a valid set of DAA-credentials. The verifier may then produce an AIK credential, without reference to the platform EK.
In the “Trusted Third Party” model: the entity that requests, receives, and evaluates attestation information based on the EK. The TTP (Privacy CA) may then produce an AIK credential, after verifying the platform EK